Photo of Mark Rasdale

Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.

Worth noting then that with effect from the 1st July 2018, there will be another set regulatory guidelines for financial institutions to consider when outsourcing.

The European Banking Authority Recommendations on Outsourcing to Cloud Service Providers (the Recommendations) confirm that executives and managing bodies of financial institutions must ensure that they have a real understanding of the risks associated with using technology to outsource any aspect of their operations. The Recommendations apply to both competent authorities, such as the Ireland’s Central Bank, and “financial institutions” which are credit institutions and investment firms as defined in EU Regulation No 575/2013.

These Recommendations supplement the Committee of European Banking Supervisors Guidelines on Outsourcing (the CEBS Guidelines). They provide more detail on the practical steps that should be taken by financial institutions when outsourcing to cloud service providers.

1. Materiality Assessment

Outsourcing institutions should, prior to any outsourcing to the cloud, assess which activities should be considered as “material”. Assessments of what amounts to a “material activity” should be performed on the basis of existing CEBS Guidelines and take into account:

  • whether the activities are critical to business continuity/ viability;
  • what the impact of outages would be from an operational, legal and reputational perspective;
  • how significantly revenue would be affected by any disruption to the activity; and
  • what the potential impact of a confidentiality breach or failure of data integrity would be.

Therefore, a detailed risk assessment should form part of any policy for procurement of cloud services and the regulator may look to see that assessment.

2. Duty to Adequately Inform Supervisors

If it is material outsourcing it will need to be notified to the relevant regulator. The Recommendations require that the outsourcing institution should maintain a register of all its material and non-material activities outsourced to cloud service providers. This may require a change in procurement and contract management processes for some financial institutions. A detailed list of the information to be compiled in the register is provided and includes:

  • general information on the type of outsourcing and the parties involved;
  • evidence of the approval for outsourcing by the management body or its delegated committees;
  • an assessment of the cloud service provider’s substitutability; and
  • identification of an alternate service provider, where possible.

This can only be done if an institution is proactively approving, managing and monitoring its use of cloud services. Many are not doing so and certainly not to the same extent as they would for more traditional outsourcing arrangements.

3. Access and Audit Rights

The Recommendations state that outsourcing institutions should obtain a contractual undertaking from cloud service providers to provide:

  • full access to business premises, including the full range of devices, systems, networks and data used for providing services outsourced (right of access); and
  • unrestricted rights of inspection and auditing relating to outsourced services (right of audit)

to the outsourcing institution, its auditors and the relevant competent authorities.

There are real challenges with the negotiation and exercise of access and audit rights when it comes to cloud services. The Recommendations are helpful in that they confirm the outsourcing institution should exercise its rights to audit and access in a risk-based manner. Pooled audits, third-party certifications or internal audit reports may be considered, provided sufficient safeguards are in place.  The outsourcing institution must ensure that the staff performing the audit have the right skills and knowledge to perform effective and relevant audits and/or assessments of cloud solutions.

This puts the onus on the outsourcing institution to ensure its staff properly understand cloud services, negotiate cloud contracts in an informed way to secure meaningful alternatives to traditional audit rights and are organised internally such that it can ensure those rights are put to effective use.

4. Security of Data and Systems

The Recommendations build on existing CEBS Guidelines in relation to security and require that prior to entering a cloud service agreement, the outsourcing institution should:

  • Classify the relevant data and activities involved on the basis of sensitivity and required protections;
  • Conduct a thorough risk based assessment of subject matter of the proposed outsourcing; and
  • Decide on (and build into the contract) appropriate levels of confidentiality, service continuity and data integrity and traceability.

The Recommendations note that the outsourcing institutions must also monitor the agreed standards, ensure the security measures are met and promptly take any necessary corrective actions. Again, this points to the need to proactively manage engagement with cloud service providers.

5. Location of Data and Data Processing

Outsourcing institutions must take special care when entering into and managing outsourcing agreements undertaken outside the EEA because of possible data protection risks. The Recommendations state that a risk assessment should be completed addressing the potential risk impacts, including legal risks and compliance issues, and oversight limitations related to the countries where the outsourced services are or are likely to be provided and where the data are or are likely to be stored, to ensure that any risks are kept within acceptable limits commensurate with the materiality of the outsourced activity.

Here, GDPR and more general regulatory requirements overlap and we think that consideration ought to be given to GDPR Privacy Impact Assessments for current and future cloud deals which involve the processing of personal data.

6. Chain Outsourcing

Chain outsourcing remains a key focus in these Recommendations. The Recommendations builds on this requirement, noting that the cloud outsourcing agreement should:

  • specify any types of activities that are excluded from potential subcontracting;
  • indicate that the cloud service provider retains full responsibility for services that it has subcontracted; and
  • include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors and include a right for the outsourcing institution to terminate the agreement if a change of subcontractor would have an adverse effect on the risk assessment of the agreed services.

These are not provisions that will feature in many standard cloud contracts (the supply chain may not even be known by the customer) and so will need to be negotiated.

7. Contingency Plans and Exit Strategies

The Recommendations state that outsourcing institutions should make arrangements to avoid service disruption in the event that the provision of cloud services by a service provider fails or deteriorates to an unacceptable degree. To achieve this outsourcing institutions should:

  • develop and implement comprehensive and sufficiently tested exit plans;
  • identify alternative solutions and develop transition plans to enable it to remove and transfer existing activities and data from the cloud service provider; and
  • ensure the outsourcing agreement requires the cloud service provider to provide sufficient support to the outsourcing institution to allow the orderly transfer of the cloud activity or to the to another provider or to be reincorporated into the outsourcing institution.

Agreeing the detail around exit plans is often challenging in outsourcing transactions. Many cloud contracts don’t deal with exit plans other than to provide for the termination of access to the service and/or to confirm that responsibility for taking back data sits with the customer and ought to be done during the contract and/or within a short time period following termination. The Recommendations suggest that financial institutions should perform a business impact analysis commensurate with the activities outsourced to identify what human and material resources would be required to implement the exit plan and how much time it would take. Failure to be able to demonstrate that this has been done may create difficulties where moving away from a cloud provider in the future doesn’t go as smoothly as was suggested at the outset.

Photo of Davinia Brennan

The Data Protection Commission (DPC) has revamped its website and published online forms to help organisations comply with their new obligations under the GDPR.

The website contains a new Data Protection Officer (DPO) Notification Form, which must be completed by organisations to inform the DPC of their DPO’s contact details.   The GDPR requires the appointment of a DPO in the following circumstances: (i) where the processing is carried out by public bodies or authorities; (ii) where an organisation’s core activities consist of large-scale regular and systematic monitoring of data subjects; and (iii) where an organisation’s core activities involve large-scale processing of special categories of data (i.e. sensitive data) or personal data relating to criminal convictions and offences. A DPO may also be appointed on a voluntary basis.  However, organisations should be aware that a DPO designated on a voluntary basis will be subject to the same obligations and tasks under the GDPR as if the designation had been mandatory.

Continue Reading Data Protection Commission publishes online DPO and Data Breach Notification Forms

Photo of John Cahir

Ireland succeeded in enacting the Data Protection Act 2018 prior to today’s GDPR deadline, with the President signing the Act into law yesterday. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.  This briefing note analyses the key provisions under the Act and its likely impact on businesses operating from Ireland.

Go to Publication

 

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data.  In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.

The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing is carried out regularly, and cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.

Continue Reading WP29 issues position paper on GDPR record-keeping obligation

Photo of Davinia Brennan

On 26 March 2018 , the US Department of Commerce (DOC) published an update on action it has taken to support the EU-US and Swiss-US Privacy Shield frameworks.  It highlights the oversight and enforcement measures taken in regard to the commercial and national security aspects of the Shield Frameworks.

It remains to be seen whether the measures taken will be sufficient to appease the Article 29 Working Party (WP29) who raised a number of concerns about the EU-US Privacy Shield last November 2017.  The WP29, in particular, called for the appointment of an independent Ombudsperson to be prioritized and the exact powers of the Ombudsperson mechanism need to be clarified, including through the declassification of internal procedures, as well as the appointment of PCLOB members.  It called for those prioritized concerns to be resolved by 25 May 2018, and its other concerns to be addressed at the latest at the second joint review.  The WP29 warned that if no remedy was brought to address its the concerns in the given time-frames, the WP29 would take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling. Whilst the DOC’s update notes that President Trump has nominated three individuals to the PCLOB, it does not clarify whether Ambassador Judith G Garber, who has been ‘acting’ as Privacy Shield Ombudsman, has been permanently appointed to that role, nor is there any mention of declassification of the internal rules of procedure of the Ombudsperson.

On a positive note, the DOC’s update shows that the US has made efforts to address other concerns raised by the WP29, including publishing enhanced guidance on the self-certification process; strengthening monitoring and enforcement of the Shield, through random spot-checks on certified organisations and proactive checks for false certification claims, and developing user-friendly guidance material for individuals, businesses and authorities.

The DOC’s update also highlights that the US government has expressly confirmed that Presidential Policy Directive 28 (PPD-28), providing protection to individuals regardless of nationality with respect to signals intelligence information, remains in place without amendment.  In addition, Congress has reauthorized FISA section 702, reportedly maintaining all elements on which the European Commission’s Privacy Shield determination was based.

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has published her Annual Report for 2017, which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR.  She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature.  The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably.  She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA.

Continue Reading Insights on the Data Protection Commissioner’s Annual Report for 2017

Photo of Davinia Brennan

As a follow-up on its Communication of September 2017 on tackling illegal online content, the European Commission has published a non-binding “Recommendation” which formally lays down operational measures which online platforms and Member States should take, before it determines whether it is necessary to propose legislation to complement the existing regulatory framework. The Recommendation applies to all forms of illegal content which are not in compliance with EU or Member State law, such as terrorist content, racist or xenophobic illegal hate speech, child sexual exploitation, illegal commercial practices, breaches of intellectual property rights and unsafe products.  The Recommendation puts pressure on online platforms to implement more proactive measures to ensure faster detection and removal of illegal content online.  It has been criticised by digital human rights organisations as essentially forcing online platforms to “voluntarily” police and censor the internet, without respect for the fundamental right to freedom of expression.

Continue Reading European Commission publishes “Recommendation” on tackling illegal content online

Photo of Davinia Brennan

Last October 2017, the Government published the General Scheme of the Communications (Retention of Data) Bill 2017 (the Bill).  The draft Bill was published in response to Chief Justice Murray’s Report, which reviewed the law concerning the retention of and access to communications data held by communications service providers, and recent decisions of the EU Court of Justice (CJEU) in the Digital Rights Ireland and Tele2 cases.  Having engaged with stakeholders to hear their views on the draft Bill, the Oireachtas Joint Committee on Justice and Equality has now published its Report on pre-legislative scrutiny of the Bill.

Continue Reading Report on pre-legislative scrutiny of new surveillance legislation published

Photo of Daniel Harrington

Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).

Continue Reading Over-Reporting Data Breaches to Data Protection Commission may result in enforcement action, warns Deputy Data Protection Commissioner