Most likely, by now you have signed data processing agreements with your suppliers of managed IT services. But, are you prepared if your suppliers’ subcontractors move outside Europe and you are in breach with the GDPR?
May 25, 2018 was the deadline for GDPR compliance in most parts of Europa. A few countries including Norway and Luxembourg will catch up soon.
Hard GDPR work has been performed, which most of us have witnessed in our email inboxes. Almost everyone has explained how they process personal data and asked for permission to keep sending you information about products and services.
Maybe you are among those who have been working late hours to get everything ready in time within your own organization? And you feel pretty happy about taking care of other concerns for a while?
If so, pardon us for addressing GDPR issues again and spoiling the fun of being through. But we have some questions to ask. They might not lead to short term pleasure but rather to long time joy.
The questions concern subcontractor responsibilities.
Most companies controlling and owning data have signed data processing agreements with their managed IT service suppliers which have turned to public cloud service providers like Google Cloud, AWS and Microsoft Azure for back-to-back agreements.
Basefarm compliance advisor Patrick Tahiri has guided several organizations into the GDPR regime. He explains:
“When managed IT service providers such as Basefarm applies public cloud subcontractors as part of their hybrid cloud services, they need back-to-back agreements to secure your responsibilities as data controller through the entire value chain.”
What is paid less attention to is that public cloud subcontractors provide services from their own subcontractor. If so, Tahiri advises subcontractor agreements to be secured also on this level.
“Be aware that such subcontractors of subcontractors might move their service production out of Europe. Then, you might be in breach with the GDPR. Through recent work, we in Basefarm have witnessed many customers overlooking this potential security problem,” says Tahiri.
A likely scenario? Not what you would expect regularly, but still something to prepare for through contracts and access to skills for moving your services from one cloud to another.
1. Expect most subcontractors to handle GDPR professionally. Still, in the end you are responsible as data controller. Assess risks proactively when evaluating subcontractors. Check if they understand their responsibilities and have GDPR compliance capabilities.
2. See to it that agreements include early warning regulations if a subcontractor moves its services out of the European GDPR zone.
3. Routinely control if the subcontractors actually follow up your agreements. You might perform such controls yourself through questionnaires or team up with others to share GDPR audit work and costs. Basefarm will perform audits on behalf of several customers.
4. Be prepared to move your entire cloud installation to another cloud services provider. Connect appropriate skills. And, as with any backup/restore routine, test that you are able to perform a movement procedure.
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). On November 30, 2018. nccgroup disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries. Read more Top 5 Security News MacOs Zero-day exposes […]
True to tradition, Basefarm’s Head of Security Operation have looked deep into his crystal ball to see what the new year holds. Here are 8 security trends to look out for in 2019. 1. Workforce gap necessitates different solutions According to the (ISC)2 organisation, we have a shortage of three million cybersecurity professionals. Without the […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). With billions of user credentials being freely distributed online it’s high time to implement multi-factor authentication as the default way to authenticate. Wired has written an article about the magnitude of leaks: “Earlier this […]
All types of outsourcing of IT services, whether it’s to a local service provider or a global hyperscale cloud provider, have this in common: You can outsource a business process, but you cannot outsource the ownership to your business’s risk. That is why most companies that outsource must find ways to ensure their service providers […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). “A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). Government Communications Headquarters (GCHQ), the UK’s counterpart to the National Security Agency (NSA), has fired the latest shot in the crypto wars. In a post to Lawfare titled Principles for a More Informed Exceptional Access Debate, […]
In this monthly post, we try to make you aware of five different security related products. This is a repost from my personal website Ulyaoth. This month we have chosen for the following: * Elastic Stack * Security Onion * Wireshark * Cuckoo * BeEF Elastic Stack Information from the Elastic Stack website: Threats don’t […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). The European Commission decided to launch its bug bounty initiative, the Free and Open Source Software Audit (FOSSA) project. Starting in January, the European Commission is going to fund bug bounty programs for a […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). The Australian “Telecommunications Assistance and Access Bill 2018,” also known as the Anti-Encryption Bill, was passed on the 6th of December, and it’s expected that it becomes law in early 2019. This new bill […]
You’ve done your homework and decided your company needs a Security Operations Center (SOC) to keep yourself protected and your customers’ data secure. You have a few options available: should you build your own SOC or find a provider for SOC as a service? The benefit of having your own SOC is having your own […]
BF-SIRT Newsletter 2018-26