A few thoughts on the shared responsibility model under the EU General Data Protection Regulation

By Jeff Bullwinkel, Associate General Counsel and Director of Corporate, External & Legal Affairs

There is much discussion about the EU General Data Protection Regulation (GDPR) at the moment, as the May 2018 deadline for mandatory compliance and enforcement looms. Microsoft has a great deal invested in ensuring that our offerings provide a foundation for customers to build solutions that meet all the requirements of the GDPR. Yet, is it possible for a cloud service provider such as Microsoft to create a solution that will, by itself, make customers 100% GDPR compliant?

What is important to recognize is that the GDPR is a set of regulations that go beyond a simple checklist of requirements that can be fulfilled by a technology provider alone. Full GDPR compliance requires a partnership between the service provider and the customer who controls personal data. The GDPR also mandates substantial changes in organizational capabilities and business processes for handling personal data, among other things.

In this article, I’ll discuss a few of the areas where the new GDPR rules will impact virtually all organizations and highlight how Microsoft can help customers with understanding and implementing a plan to achieve full GDPR compliance.

Shared responsibility requirements

The GDPR relies on a formal definition of control over personal data.

There is the concept of a data controller. This is an organization that has full control over the access and use of data records that contain personal data about individuals. This could be an end user organization that maintains an employee database or it could be an organization that collects personal information from its customers and uses it for marketing purposes. The GDPR introduces new rules for how personal data from European residents or personal data that is stored in the EU is handled and enshrines new rights for end users – such as the right to have their information corrected or even deleted from a controller’s database as well as putting limits on how their information can be used.

There is also the concept a data processor – an organization that stores personal data on behalf of another party and responds to requests to process the data. The data processor may not have or rely on access to the contents of the data records. This is where many cloud services fit – but not all cloud services. Depending on the type of cloud service being offered and the implementation scenario, a cloud service provider might be:

• a data processor – such as the case when Microsoft offers hosted virtual machine Azure services and Microsoft simply provides the VM capabilities but has no visibility into the virtual machines that are running on the service or the data, or
• a data controller – such as the case of a company that offers cloud services to end users but hosts those services on someone else’s cloud, or
• both a data processor and controller – such as the case where Microsoft provides the Office 365 solution to an individual or business and collects personal information about the subscriber.

Microsoft has been working for many months to ensure its cloud offerings provide a foundation for building fully GDPR-compliant platforms that customers can use for their IT needs. However, this work extends to Microsoft’s obligations as a data processor – which is only half the story.

In most cases, our cloud customers are data controllers, and in this role these organizations have substantial obligations under the GDPR as well. Some of these obligations are solely the responsibility of the data controller and some are joint responsibilities with the data processor or cloud service provider.

While data processors face potential liability for non-compliance, according to the IAPP in their “Top 10 Operational Impacts of the EU’s General Data Protection Regulation” publication, the “burden for personal data protection under the GDPR still rest primarily with controllers.” Therefore, much of the real work will rest with the data controllers – that is, Microsoft’s cloud customers.

Organizational changes

Data controllers and processors may need to make some real changes to their organizations in order to meet the requirements of the GDPR. For example, an independent data protection officer (DPO) will need to be hired and put in place if the entity, for example, is involved in “regular and systematic monitoring of data subjects on a large scale.”  Even though Microsoft will have its own DPO, it is important for customers to determine whether they need their own DPO. Customers should not assume they are covered in relation to this obligation merely because they use a cloud service provider with a DPO that is “GDPR compliant.”

Another area that may require organizational changes is the possible need for ongoing Privacy Impact Assessments. In addition, both controllers and processors need to implement organizational and technical measures to protect data.

These are just a couple of examples where our customers will need to take an active role in determining what organizational changes they need to put in place to achieve and maintain GDPR compliance.

Process changes

There are also many areas where GDPR data controller requirements will impact the day-to-day business processes inside an organization. Some examples of these areas include:

• Consent: In order to use or process personal information from EU residents, the organization will need to get clear, explicit consent from individuals for the proposed uses of their personal data. This consent needs to be recorded, and the individuals need to be provided with the ability to withdraw their consent in the future (in effect, a right to be forgotten). While Microsoft and other cloud providers will need to get consent from their customers, a customer using cloud technologies, as the data controller, still needs to get consent from their European users and employees.
• Cross border data transfers: Transferring data on European subjects across borders is a big deal under the GDPR. Since cloud computing can span borders, customers will need to ensure they have the proper contract structures in place with their cloud service providers (the data processor) in order to meet GDPR requirements. In some cases, lack of adequate data protection laws in some non-EU countries may require special provisions such as standard contractual clauses or binding corporate rules before data can be processed or transferred. This is an area where Microsoft can help. We have the contractual foundations in place to ensure both Microsoft and the customer can meet the data transfer requirements of the GDPR.
• Data breach notification: Not only does the GDPR establish mandatory rules for notifying end users in the event of a data breach – it goes a step further by requiring controllers and processors to implement appropriate technical and organizational actions to ensure security measures are in place to help prevent breaches from happening in the first place. Controllers can only use processors, such as Microsoft, that are contractually bound to meeting the GDPR’s security of processing standards.

These are just a few examples of how the controller and processor need to work hand-in-hand to understand, implement and maintain their various roles and responsibilities as defined by the GDPR. Both the data processor and controller need to establish GDPR-defined contractual terms and the controller needs to do their part before any claim of compliance can be complete.

Collaborative approach

At Microsoft, we believe the best plan for achieving GDPR compliance is a collaborative approach with our customers. We see this as an opportunity for a conversation with our customers to explain exactly where Microsoft is in terms of meeting the requirements of the GDPR; to understand the roles and responsibilities of both parties, including contractual obligations; and to discuss the development of an action plan for collaborating in achieving full GDPR compliance.

Microsoft has numerous GDPR specialists within our Corporate, External & Legal Affairs (CELA) organization – including professionals who are working face-to-face with customers in the field and others who sit in our regional and global headquarters providing guidance and assistance to both the field and our product groups. Microsoft also has partners in every region that can provide technical, logistical, training and legal help.

Our GDPR engagement with qualified enterprises typically begins with a free one-day GDPR workshop, followed by a two-week paid GDPR assessment to help the customer understand the scope and roles of the GDPR project and formulate the implementation plan. We then proceed with completing the work together with the customer and key technology and advisory partners.

We welcome the opportunity to work with our customers to educate them on the GDPR’s shared responsibility model and assist with mapping out a plan to help ensure GDPR compliance.

Recommended further reading

For more information on the GDPR, take advantage of the Microsoft resources on Microsoft.com/GDPR. In addition, we recommend exploring the following useful third-party resources:

• A Guide to GDPR Regulation – DLA Piper
• Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law – White & Case
• Top 10 operational impacts of the GDPR – IAPP
• The GDPR and You – Irish Data Protection Commissioner
• EU GDPR Readiness Assessment Tool – Orrick