Cloud Technology for Insurers - Part 5
Compliance with Data Protection Law
In the previous article of this series, we introduced the applicability of EU data protection law to the use of public cloud by insurance companies. In this article, we will discuss concrete challenges imposed by data protection law.
The public cloud market is a global industry with the leading providers all being based in the United States. These tech giants are usually preferred by customers for various reasons: they have the biggest industry experience, a well-established position in the market, the lowest service fees, offer a wide selection of cloud services, and can provide the highest level of security and reliability. More importantly, the global cloud market is simply dominated by three vendors, with Amazon Web Service (AWS) controlling about two-thirds of the entire market with few real competitors like IBM or Google. Insurance companies therefore lack the option to choose among provider alternatives, especially from Europe. Limited to US vendors, the question arises for insurance companies in Europe to what extent the use of public cloud services is compliant with local data protection regulations.
Control over data processing
Once an insurance company processes personal data in the cloud (even if it is merely storing data), it performs data processing regulated by data protection law. The insurance company takes on the role of the data controller and the cloud provider the role of the data processor. EU data protection law states that the data controller must have full control over the data processing performed by the data processor. Since one of the characteristic cloud features is self-service, the cloud user issues the instructions for data processing through its own applications and the cloud provider usually carries out these instructions in a fully automated manner. Nevertheless, it is necessary to be contractually agreed that the cloud provider is only processing the data in accordance with the user’s instructions. If the provider has not already guaranteed this in its standard agreement, an annex to the agreement must be prepared that implements the requirements of EU data protection law.
Encryption of data
To protect personal data from unauthorized access, it is advisable to only store it in encrypted form. Large providers of public clouds offer the corresponding functionalities and applications in this area and the top vendors provide industry best practices and standards. However, it should be noted that personal data should still be considered personal data even in encrypted form, although not all data-protection authorities agree in this regard. If data is transmitted to the cloud without already being encrypted, users must rely on the cloud provider’s documentation, security certifications, and compliance reports when it comes to determining whether and under what circumstances the cloud provider staff can view customer data in plain text.
Cross-border data transfer
The data protection regulation of the EU sets certain requirements when data is transfer to a country which is not a member of the EU (a so-called third country). Luckily, when using global providers of public clouds, insurers can specify one or several geographic regions. The consumed services will then be provided from datacenters located in these regions. However, as we show below, some aspects must be considered.
Remote access for cloud maintenance
The cloud provider typically has maintenance staff on constant stand-by to ensure that it can take immediate action in the event of any technical problems affecting their cloud. Consequently, it must be clarified to what extent the provider relies on support staff from outside the EU. At least under current German data protection law, such access from outside the EU is considered data transmission to a third country. Even if the cloud provider offers exclusive support from staff located within the EU, it must be validated whether remote access from outside the EU is in fact contractually excluded. If it is impossible to obtain a contractual guarantee that no such data transfer can happen, the insurer is currently required to obtain explicit consent from end customers for the storage of sensitive personal data (see previous article for definition) on the infrastructure of IT service providers for which remote access from outside EU cannot be excluded. However, the upcoming EU General Data Protection Regulation (GDPR) will relieve data controllers from this duty because theoretical access from a third country is not considered a transfer anymore.
It must also be verified whether all consumed cloud services are indeed performed locally in the selected region, as some providers also have global services within which their data may also be transferred to other countries. Here, the emphasis should be placed on edge locations, which some cloud providers operate in addition to their own datacenters. These locations are used by some cloud services as part of their transport infrastructure to ensure faster data transfer to and from the end user. It should be checked whether any of the cloud services used process data in edge locations, the extent to which this can be controlled through configuration, and whether there is any relevance with regards to data protection law.
In case the cloud provider relies on subcontractors for the provision of its services, these subcontractors must also be compliant with the requirements of data protection law. For instance, some PaaS providers use IaaS providers as subcontractors (see part 2 of this article series for an explanation of PaaS and IaaS). However, it may be difficult for an insurer to fully control the contractual relationships between a cloud provider and all its subcontractors. Yet with the EU’s upcoming GDPR, data processers cannot appoint sub-processors any longer, without the prior written consent of the data controller. If the data controller agrees to the appointment of sub-processors, these must be appointed on the same terms that have been set out in the original contract between the data controller and the cloud provider.
In the next parts of our article series, we will continue discussing how insurance companies can handle the challenges encountered when migrating into the public cloud. Stay tuned!