As you might have noticed, your inbox has been filling up as of late with a number of updates service policies as well as new terms and conditions. Most engineer you meet today are also in one way or another dealing with the implications of the GDPR at the moment.

Exoscale has been the favored provider of many companies building applications for the web, a field where GDPR has the largest implication. There still seems to exist a lack of clarity and understanding of what the GDPR means for people who host.

Cloud computing and GDPR: Exoscale's approach

Below are some essential points that need to be considered, and should be if you are building applications, whether you are in the EU or out of it as long as you allow sign-ups from everywhere. By allowing anyone to use your application or service, you become subject to the GDPR for European customers. This advice obviously is not valid legal advice, for which I would advise you to retain a counsel.

1. All data collection needs to happen on a lawful basis

There are only six lawful justification for data collection, as mandated by GDPR:

  1. The concerned party agrees to it. Concretely, everyone needs to opt-in for collection.
  2. The collected data is necessary to establish a contract. For example, you need an email to create an account.
  3. The collection is mandated by law. If you invoice customers, you will need to keep those around.
  4. Processing of the collected data presents a vital interest. This may be true of medical data for instance.
  5. Processing of the collected data is in the public interest. This probably won’t ever be a reason for you as a private company and is more likely to be the case for public institutions.
  6. The collection is in the legitimate interest of the collecting party. This is the most fuzzy notion, needs to be weight against the personal interest of data subjects. The canonical use case for this notion here is that your are in your lawful right to process a customer’s address when shipping goods.

Anything falling out of this spectrum is considered unlawlful and will be subject to fines if you insist on carrying it out. In the light of the recent revelations around the practices of Facebook and other entities, this should be considered great news. It might come at the expense of adapting your application and the way you handle your newsletter population but this will greatly improve your rights as consumer.

2. Date of agreements to all contracts must be stored

The gist of it is that you need to know when an account was created, as well as when terms and conditions were accepted. This is most likely all part of an account’s creation process but there now needs to be simple ways to access acceptance dates.

3. You need a data processing agreement with your provider

The Data processing agreement or DPA is a document describing your relationship with your hosting provider, stipulating that the data being processed by the provider is confined to the strict minimum necessary to provide the service.

In the case of Exoscale, this means holding on to your account and billing details, as well as the list of resources you consume on Exoscale for a short time, in order to produce usage metering statements.

4. A full right to access and deletion

There should not only exist provisions to remove data upon request, but to also provide full extracts. The current mandate is to fulfill a request within 30 days of a request.

5. Data protection by design is now mandated

Product decisions which touch area must exhibit proof that they were designed with data protection in mind. This is one of the least concrete and immediately applicable mandates of the GDPR. From a public-facing application’s point of view, a clear internal documentation of the way data is treated is the initial step we would recommend.

6. Breach reporting and investigation procedures must exist

Companies that act as data processors now need process around reporting and investigation of breaches of data processing and data collection rules.

Corrolary to this, a Data processing officer needs to be named to own the surrounding process.