Compliance as a Service

34 Pages Posted: 14 Nov 2018

See all articles by Dimitra Kamarinou

Dimitra Kamarinou

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies; Oxford Internet Institute

Isabella Oldani

Queen Mary University of London - Centre for Commercial Law Studies; University of Trento, School of International Studies, Students

Date Written: November 14, 2018

Abstract

This paper provides an empirical review of GDPR-related marketing communications and data processing agreements of 13 cloud service providers (‘CSPs’). Our analysis focuses on how these agreements reflect and deal with the key data protection obligations imposed on controllers and processors under Article 28 GDPR. More specifically, we discuss issues of engaging sub-processors, complying with security and personal data breach notification obligations, complying with the obligations to keep records of processing activities and carry out audits, managing data subjects’ requests and complying with obligations regarding transfers of personal data outside the EEA.

Article 28 GDPR creates an inter-dependency between controllers and processors for compliance purposes. The CSPs surveyed not only provide assurances regarding their own GDPR compliance, but also commit to assisting their customers to comply. We argue that this symbiotic framework will facilitate the development of a Compliance as a Service model, particularly in areas with growing technical challenges such as security arrangements, identification of data breaches, and management of audits. Even though a controller’s GDPR compliance cannot be outsourced completely, we argue that it is likely that controllers will become increasingly dependent on CSPs for various compliance purposes.

Keywords: cloud, GDPR, cloud service providers, compliance, service, data protection, personal data, controllers, processors, data subjects, security, personal data breach notification, audit, transfers

JEL Classification: K12, K19, K2, K20, K23, K29, K30, K33, K39, L86, M13, O33

Suggested Citation

Kamarinou, Dimitra and Millard, Christopher and Oldani, Isabella, Compliance as a Service (November 14, 2018). Queen Mary School of Law Legal Studies Research Paper No. 287/2018. Available at SSRN: https://ssrn.com/abstract=3284497

Dimitra Kamarinou (Contact Author)

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/kamarinou.html

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Oxford Internet Institute

1 St Giles
Oxford, OX1 3JS
United Kingdom

HOME PAGE: http://www.oii.ox.ac.uk/

Isabella Oldani

Queen Mary University of London - Centre for Commercial Law Studies ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

University of Trento, School of International Studies, Students ( email )

via Verdi 8/10
Trento, 38122
Italy

Register to save articles to
your library

Register

Paper statistics

Downloads
191
rank
155,586
Abstract Views
1,070
PlumX Metrics
!

Under construction: SSRN citations while be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information