GDPR – Managing roles either side of the Cloud’s “Silver Lining”…

We’re entering a period where two interesting and concurrent changes will converge, but there’s not yet much discussion about the very serious legal implications of this impending storm… and firms may be inadvertently entering into incomplete IT service contracts without knowing it.

You see, on the one hand in Q2 2017, my firm is seeing a real and tangible acceptance of the “Cloud” value proposition in its many forms (private public, hybrid, saas etc.). Around mid-2016, the Cloud question on decision makers’ lips changed from “Should I or shouldn’t I?” to “How, Who, and When do I?”. 2017 and 2018 will see this trend continue, and more firms will enter 3 to 5 year IT outsourcing contracts.

On the other hand, whilst MIFID II is still dominating the weekly regulation and compliance meeting agenda, GDPR is increasingly looming large on the horizon. With its 4% of REVENUE maximum penalties coming into effect from May 2018, GDPR could wipe out a firms GP for an entire year… So yes Batman, it is serious.

BUT what happens if a good portion of the tasks that need to be performed to meet your regulatory obligations as Data Owner and Data Controller, are actually within the responsibility and contracted scope of your third party/outsourced Cloud Services Provider (CSP) Managed Services Agreement (MSA)?

Ian de Freitas – one of the UK’s foremost legal experts on the implications of GDPR on outsourcing – told me recently that he thinks that a great many of the existing and soon to be executed standard MSA terms for CSP services will need to be amended within their first contracted term to address these issues.

For many firms, this cat is already out of the bag. The CSP MSA has already been negotiated and signed – so a change in scope, liability, service definition and SLA’s will most likely require a variation negotiation.

Other clients of BEC are just commencing the process of Cloud vendor shortlisting, or are negotiating their MSA’s right now – in isolation from any sort of GDPR impact assessment (because it hasn’t been done yet!).

So – if its not too late – we respectfully suggest you tie these two pieces of your organisation together nice and tight for the next 6 to 12 months – and perhaps you will be able to avoid coming back to the CSP MSA negotiating table mid-term, cap in hand.

If you would like to know more – perhaps you would consider attending our upcoming GDPR in the Clouds @ The Shard event. Further details can be found at 

Leave a Reply

This site uses cookies to improve your browse experience. By browsing this website, you agree to our use of cookies.