GDPR may help Amazon, Google and Microsoft to dominate cloud computing, warns data protection lawyer

The 'big boys' will have the resources to handle the EU's new data protection regime

The forthcoming EU General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, may be so onerous as to put small cloud providers at a competitive disadvantage, and help the computing giants to dominate the emerging cloud computing market in Europe.

That is the warning of data protection expert Kuan Hon, consultant lawyer at law firm Pinsent Masons, speaking at the recent Computing Cloud and Infrastructure Summit.

The GDPR, she says, blurs the distinction between data controllers and data processors, with responsibility flowing down the digital supply chain and adding an administrative burden accordingly.

Between now and 25 May 2018, companies with cloud contracts will need to make sure that they are updated to take account of the introduction of GDPR - there will be no transitional arrangement whereby old contracts are allowed to expire before they are changed.

"[It will be a] big change for sub-processors," said Hon. "Prior consent will be needed and notification of changes, as well as what may be called a 'terms flowdown'. So, for example, you could have a contract with a software-as-a-service (SaaS) provider, which has to have certain minimum terms under GDPR.

"However, the SaaS providers' contract with their own infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) provider also needs to have pretty much the same terms because that's a requirement of GDPR. It's really hard to know how far down the chain this has to go," said Hon.

"This is not just cloud computing, this is all supply chains," she added.

But for UK and European companies in cloud computing, enforcing the required terms and conditions on their suppliers might be a challenge - unless they are as large and as powerful as Microsoft, Google and Amazon.

Hon believes that this could be an unintended consequence of the new laws.

The EU, on the one hand, wants to encourage small and medium-sized enterprises (SMEs) in cloud computing and technology with initiatives such as the Digital Single Market. But, on the other hand, laws like the GDPR set a high bureaucratic barrier that start-ups and SMEs may struggle to overcome.

"Because of the 'flow down' requirements it may be impossible for a cloud provider to actually comply with all of these requirements, unless they are one of the giants; one of the Amazons, Googles or Microsofts, because they control the supply chain and they can force these flowdown provisions.

"[But] if you're a small SaaS provider, and you are trying to negotiate with Amazon, Google or Microsoft, it's going to be hard to get them to accept these extra obligations. Some of them might, but it's going to be difficult. So, really, I believe this is going to drive business towards the cloud giants who control their supply chain," warned Hon.

Last week, it was suggested that if organisations in the UK had been subjected to the same data protection regime in recent years as the GDPR will introduce they could have been hit by fines totalling £122bn.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.