A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others or large-scale systematic processing.
The processor’s DPO must liaise with the data controller's DPOs to ensure it has adequate knowledge documented of the classes of data being processed and the types of processing.
The Processor requires a Data Processing Agreement with the controller. For a processor who has hundreds or potentially hundreds of thousands of customers, this may at first sound daunting. However, for the existing customers, there will already be a contract in place. The business contract merely needs to be modified to include data protection. This can be automated and can be as simple as redirecting to a positive opt-in with a new set of terms and conditions with continued business contingent on their acceptance of such terms.
The processor should also ensure it has solid encryption methods. If the encryption keys are compromised because they are stored insecurely on a file server then encryption is easily circumvented.
Often, encrypted emails are followed a password for that file by the same email. But, if both emails are intercepted OR the main server is compromised, then the encryption process is also compromised.
While the role of a processor is very much considered as ‘sedate’ in comparison to that of the controller, there are undoubtedly obligations to which it must ensure it fulfils in order to stay compliant.
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales