GDPR will put up the price of cloud computing, warns data protection legal expert

GDPR means more cloud computing price rises are on the way

The price of cloud computing and other IT services in the UK and across the European Union are set to increase as a result of the added administrative cost of implementing and complying with the EU's General Data Protection Directive (GDPR), according to one of the UK's leading data protection lawyers.

Kuan Hon, a consultant lawyer at Pinsent Masons, issued the warning at Computing's recent Cloud and Infrastructure Summit 2016 in London.

And, regardless of the Brexit vote in June this year, organisations across the UK will almost certainly have to comply with the GDPR when it comes into force on 25 May 2018 - giving them less than two years to prepare.

The reason why GDPR will put up the cost of cloud computing in Europe, she believes, is because it will re-apportion data protection risks across organisations' digital supply chains.

Organisations will be expected to demonstrate compliance at every stage of processing of personal data with, potentially, heavy fines being levied by regulators on top of the high costs of dealing with data breaches.

These issues will need to be thrashed out before the ‘hard' deadline in less than two years time - there will be no ‘grandfathering' of existing contracts and no transition period: all contracts must be changed before 25 May 2018, regardless of when they officially expire.

"These extra requirements [under GDPR] have got to go into the contracts. There's going to be lots of discussion over who's going to pay for the cost, who's going to be responsible for what, liable for what and indemnities and so on, because cloud providers could be directly liable themselves. If somebody sues them, and it was your fault, they are going to want to claim back from you.

"And pricing, unfortunately, is probably going to go up," she said.

There will also be other costs that organisations will have to bear over the next two years in order to achieve compliance. "There are slightly different security requirements under GDPR", she said, compared to the current data protection regime.

She continued: "The obligations themselves: confidentiality, integrity, availability, resilience, business continuity, and regular testing and evaluation. That's pretty much security best practices. Cloud providers and other ‘processors' will be directly liable. They will have direct security obligations.

"[But] that also includes things like privacy by design, which would include security by design. And, of course, it's people and processes, too, not just technology."

These added expenses come on top of recent price increases announced for software licensing and cloud computing services following the fall in the value of the pound after the Brexit vote in June.

The added costs are expected to help the cloud computing giants - the Amazons, Googles, Microsofts, Oracles and Salesforces - to consolidate the sector more rapidly, while raising the cost base and locking out smaller players and start-ups.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.