The Bunker, a managed service provider, suggests it is not size that will be the determining factor in deciding which cloud providers thrive under the GDPR.
Instead, the definitive attribute will be whether a company has a culture of information security instilled within the business.
Cloud service providers post-GDPR
Come May 2018, all parties will be signing up to the GDPR so everyone must demonstrate compliance, or face the financial consequences.
Cloud service providers (CSPs) of any size risk being hit with major fines if they fail to comply with the terms of the General Data Protection Regulation (GDPR); up to 4% of global annual turnover in some scenarios.
The Bunker warns that irrespective of size and where they sit in the supply chain, CSPs need to have the relevant capabilities and security in their DNA if they wish to achieve and maintain full compliance.
This view is opposed to data protection expert Kuan Hon, who suggested at the Cloud and Infrastructure Summit 2016 that it may be near impossible for cloud computing companies to put the required terms and conditions on their suppliers, unless they are as large as the giant vendors such as Amazon, Google and Microsoft due to the degree of leverage they have over their supply chains.
Instead responsibility will flow down the digital supply chain, putting a burden on smaller providers.
This, she predicted, will leave the larger players to dominate Europe’s cloud market.
“Because of the ‘flow down’ requirements it may be impossible for a cloud provider to actually comply with all of these requirements, unless they are one of the giants; one of the Amazons, Googles or Microsofts, because they control the supply chain and they can force these flow down provisions.
“[But] if you’re a small SaaS provider, and you are trying to negotiate with Amazon, Google or Microsoft, it’s going to be hard to get them to accept these extra obligations. Some of them might, but it’s going to be difficult. So, really, I believe this is going to drive business towards the cloud giants who control their supply chain,” warned Hon.
“This is not just cloud computing, this is all supply chains,” she added.
>See also: The cloud service provider: an inside story
Phil Bindley, CTO at The Bunker, however, believes that while there is only so far smaller companies can realistically perform due diligence along the supply chain company size will not be the determining factor for success in the European market.
Instead, the defining business attribute will be having a culture of information security instilled within the business.
Bindley explains: “The GDPR is a heavyweight piece of legislation and will challenge cloud providers of all sizes, but it is much more onerous to comply with for those that don’t have security in their DNA.”
“It is likely that the herd will thin out over the next few years as less proficient CSPs are forced out of the market. For smaller CSPs it may be hard to put the required conditions on larger suppliers, however, this is not impossible.”
“The GDPR stipulates that there is joint liability between controllers and processors. Consequently, if an individual raises a claim, even those at the top of the chain could be liable.”
“Moreover, it will be the customer’s choice who they want the fines paid by and it is then up to the data processor to be refunded money from the responsible parties within the supply chain.”
“Ultimately, the GDPR is about protecting EU citizens’ data. In order to do this effectively companies must have a culture of information security ingrained within their business; taking this approach has the benefit of making companies more competitive by allowing them to manage risk effectively.”
“It doesn’t matter about the size of the supplier, without a secure framework in place people are not going to want to do business with you,” concludes Bindley.”