News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Managing data breaches in the cloud Related reading: A view from DC: Will Maryland end the era of notice and choice?

rss_feed

The day-to-day business penetration of cloud services has reached an all-time high and is expected to grow further in 2020. With the adoption of cloud services, the regular data controller and data processor setup is also becoming more obsolete and transforms into a data controller (regular data processor), one or more cloud service provider (sub-processor), or data controller (one or more CSP data processors set up in the EU). This implies the threat landscape and privacy risks data controllers must face change significantly, and under the EU General Data Protection Regulation’s accountability principle, data controllers that use cloud service resources must prepare themselves in advance to effectively manage “cross-entity” data-processing activities, the related risks and potential data breaches.

Major data protection risks in the cloud

The National Institute of Standards and Technology classifies cloud service models as software as a service, platform as a service, and infrastructure as a service. It classifies deployment models as public, hybrid, community and private clouds. Cloud tenants (e.g., data controllers) in each service and deployment model have different responsibilities. Data controllers have the most control over privately deployed cloud services, whereas full-scale public cloud IaaS deployments push data controllers forward to develop sound technical and organizational measures and procedures to effectively manage the related data protection risks and possible data breaches to comply with data breach notice requirements under the GDPR and to be able to notify the relevant supervisory authority at least within 72 hours of becoming aware of a personal data breach.

The root cause of data breaches in the cloud are usually not different than in on-premise data-processing activities: mostly human error, unauthorized access and accidental insider threats. According to the Open Web Application Security Project, major privacy risks include operator sided data leakage, insufficient data breach responses, insufficient deletion of personal data, sharing of data with third-parties and insecure data transfers. Data controllers must also take into consideration the constantly changing cloud service landscape and changing application programming interfaces.

Data breach management procedures and playbooks

While cloud data breach response steps may look like on-premise data breach management procedures, the cloud is different. It is good practice to prepare data breach management playbooks in advance to address the top data protection risks within the cloud. Playbooks may be as precise and easy-to-follow as possible and may include the roles and responsibilities of the data controller and the CSP, description of the identified and tested communication channels and personnel, data breach evaluation and escalation criteria that enables the data controller to remain in charge (despite many CSP provide evaluation criteria as part of their “built-in” incident management solutions), forensic investigation and measures to ensure electronic evidence’s chain of custody, content and format of data the CSP may provide to the data controller in case of the suspicion of a data breach, and the description of data sources required to manage data breaches.

It is critical to regularly test, improve and keep up to date the playbooks. If the CSP provides separate users or tools to perform forensic investigations, log analysis and data breach management support, then data controllers may set up these users or tools in advance. Playbook tests may be “table-top” tests or real simulations. In case of higher risk scenarios, the full-scale simulations are recommended, while table-top tests may be used as validity checks and to practice the whole process overall. Responsible staff may not be limited to IT or to the compliance function but the data controllers’ public relations, and the CSP’s personnel should also be involved in the identification, evaluation, assessment and communication of data breaches either to supervisory authorities or affected data subjects.

The era of 'clickwrap' data-processing agreements

Technological advancement has brought widely open and easy-to-access cloud services to organizations. However, what may make organizations perplexed is the upside-down regulatory requirements against data controllers and data processors. The Article 29 Working Party confirmed its prior opinion and stated in its guidelines on personal data breach notifications under the GDPR that data “controllers and processors are […] encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary.” In practice, this means data controllers and processors must not only have to implement a data breach management process, but also a sound, effective and well-tested data breach response plan. To achieve the goal of effective data breach management, controllers and processors must rely on the incident management responses provided by CSPs in cloud environments, dependent on the service and deployment model.

The imbalance of power between CSP tech giants and their customers resulted in the application of “clickwrap” data-processing agreements, in which the data controller — who is ultimately responsible for data breaches in the cloud — may only pick the “take-it-or-leave-it” option when choosing a CSP. Data controllers may also consider the cooperation options and support in data breach management when selecting a CSP to be able to demonstrate GDPR-related accountability. Therefore, data controllers may incorporate into their vendor (CSP) risk assessment processes to assess and evaluate before migrating into the cloud the aspects and factors as follows.

  • Service level agreements: What service levels the CSP may willing to undertake during normal operations and in case of suspicion of a data breach?
  • Service governance: How may the IT governance processes of the CSP and the data controller align? How does the CSP govern the provision of services and manage changes in the service landscape by introducing or sunsetting features or services?
  • Audit rights: Larger CSPs may not allow their customers to directly audit the CSP’s operations; however, CSPs may provide internationally recognized audit certifications or reports.
  • Information security and privacy solution support: What kind of data protection compliance support the CSP may provide to its customers (e.g., in terms of event monitoring, retention periods, deletions and encryption/pseudonymization).
  • Testing opportunities: Data controllers must implement a process for regularly testing, assessing and evaluating the effectiveness of their data protection related controls; thus, it is crucial what support a CSP may provide to the data controller to test data breach management plans and playbooks.
  • Data breach management support: It is critical how the CSP will provide support to manage security events, including forensic support and ensuring the chain of custody.

The use of cloud services is becoming mainstream. Before moving to the cloud, relevant business users acting as a data controller must consider compliance with personal data breach management and notice requirements under European data protection laws and evaluate whether the chosen provider ensures sufficient guarantees. In that regard, the technical and organizational measures implemented by the CSP and the CSP’s smooth cooperation in the data breach response playbook is paramount in producing evidence regarding data protection accountability.

Photo by Sam Schooler on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Ádám Liber, CIPP/E, CIPM, FIP IAPP Member Contributor
Headshot Tamas Bereczki, CIPP/E IAPP Member Contributor
Tags
Cloud Computing
Privacy Operations Management
2 Comments

If you want to comment on this post, you need to login.

  • comment Remy Lang • Jan 29, 2020 
    Dear Adam and Tamas, could you explain what you mean by "With the adoption of cloud services, the regular data controller and data processor setup is also becoming more obsolete and transforms into a data controller (regular data processor), one or more cloud service provider (sub-processor), or data controller (one or more CSP data processors set up in the EU)."? I'm having trouble to understand the new forms of setups that you describe. Best regards.
  • comment Tamas Bereczki • Jan 30, 2020 
    Dear Remy, Thank you for your comment. To clarify, we thought that cloud services are public utilities for cloud customers and such customers must rely on multiple sub-processor situations. The longer the chain of subcontractors is, the higher will be the risk of potential infringements for the controller and the enforcement of accountability related activities and data subject rights also becomes more difficult. The GDPR does not seem to regulate situations with the imbalance of power on the part of [tech] giant cloud service providers who do not apply any limits regarding the length of their subcontractor chain. Cloud customers should be able to expect from such tech giants that they take effective steps to operationalize data protection accountability requirements that should also include strict supplier chain management measures. Also, the traditional role of data controllers seem to vanish in the cloud service provider - multiple data controller setup, because of said imbalance of power between the parties. Kind regards.
Related Stories
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
A view from Brussels: To be sovereign, or not to be
From another delay to the European Agency for Cybersecurity's European Cybersecurity Certification Scheme for Cloud Services, to the European Data Protection Board's strategy for 2024-2027, Parliament's adoption of the European Health Data Space, and ramped up enforcement of the Digital Services Act...
Read More queue Save This
ANPD unveils efforts to streamline DSAR process
Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, and the Ministry of Management and Innovation in Public Services Management and Innovation Secretariat presented a process for streamlining data subject access requests. The improvements include simplifying complaint f...
Read More queue Save This
Related Stories
Tags
Cloud Computing
Privacy Operations Management
Recent Comments