GDPR: 'Lock up' your cloud contracts before May 2018 - or face a multi-million pound fine

Organisations warned that unless they make all contracts GDPR compliant before May 2018 they could face fines running into millions

Organisations with cloud computing and other long-term IT services contracts will not only need to upgrade them in advance of the introduction of the EU General Data Protection Regulation (GDPR), but will have to make sure that contracts along their supply chain are also upgraded accordingly.

And organisations only have until 25 May 2018, the date that the GDPR will come into force across the European Union, in order to thrash out the contracts and make sure that their suppliers' suppliers are also compliant. Not only that, they will also need to renegotiate existing contracts set to expire after May 2018 as there will be no transitional ‘grace' period.

The warning comes from data protection expert Kuan Hon, a consultant lawyer at law firm Pinsent Masons, speaking at the recent Computing Cloud and Infrastructure Summit in London.

"Hopefully, cloud providers will be updating their standard contracts to make them compliant, but it is difficult to know how much negotiation is possible," said Hon.

The GDPR will almost certainly work in favour of the cloud computing giants, said Hon, because they have the resources to be able to withstand the onerous bureaucratic burden the GDPR will impose. As a result smaller providers will almost certainly struggle.

Organisations large and small that outsource any element of personal data storage or processing will therefore need to re-examine their position, she added, as there will be no 'grandfathering' of contracts. That is to say, the 25 May 2018 GDPR deadline is a hard deadline and any non-compliant contracts expiring after that date will need to be renegotiated.

"Basically, if you've got any contracts involving personal data processing that could expire after 25 May, you've got to take stock; you've got to make sure you know where they are [so that you can update them for compliance].

"If you're entering into new contracts, again, you've got to take account of these issues; you've got to put in the GDPR compliant terms now, or put in something that will let you change them," she said.

Ideally - and especially if your organisation has cloud contracts - it is better to take the first option and change the contracts outright to make them GDPR compliant as soon as possible, rather than wording the contracts to enable the organisation to change them later. "Because otherwise you're at the mercy of the cloud provider. You could leave it too late and then suddenly [have to] try to change everything," said Hon.

She continued: "These extra requirements have got to go into the contract, and there's going to be a lot of discussion over who's going to pay for the cost, who's going to be responsible for what, liable for what and indemnities, and so on, because cloud providers could be directly liable themselves. If someone sues them, and it was your fault, they are going to want to claim back from you."

And, after cloud computing customers have been told their subscriptions are going up by as much as 22 per cent following the decline in value of the pound after the Brexit referendum, they could be faced with further price rises to cover the cost of Brexit. "Pricing, unfortunately, is probably going to go up," warned Hon.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.