Basic Cloud Services Privacy Kit

Privacy Compliance Updated 23 May 2018

  • $1,650.00

A Basic Privacy Kit designed for Australian cloud services providers to assist with addressing their obligations under the Australian Privacy Act and, where applicable, the General Data Protection Regulation (GDPR)

How this package can help you

With the enactment of the Australian Notifiable Data Breaches Scheme and the EU Genreal Data Protection Regulation (GDPR), Privacy Law has now been brought head on into the digital age, bringing with its significant challenges for Australian cloud services providers with cloud servies that can be accessed from anywhere in the World. Our Privacy Kit seeks to make life easier for Australian cloud services providers, and includes the following documents:

  • Data Breach Response Plan (DBRP) – designed for Cloud Providers to call on in circumstances where an eligible data breach occurs. The DBRP is built to aid Cloud Providers’ understandings as to what needs to be done if an eligible data breach occurs – not only from a legal compliance perspective, but from a commonsense perspective as well.
  • Data Processing Agreement (DPA) – an agreement between a Cloud Provider and its Customer, that sets out the parties’ agreed position on what is to occur if there is a data breach of jointly held personal information. It is designed to have the Customer take the onus of carrying out the statutory notifications where possible. It is also designed to address the GDPR requirements of a cloud-based “processor” in favour of its Customer, as an extension of a cloud services agreement.
  • Cloud Services Privacy Policya Privacy Policy for a cloud-services provider.

Need more?

Consider purchasing our Advanced Cloud Services Kit which comes with additional documents.


The New Privacy Landscape for Australian Cloud Services Providers

All Australian entities caught by the provisions of the Australian Privacy Act, have since 22 February 2018 been subject to the Notifiable Data Breaches Scheme, that requires eligible data breaches to be notified, and other steps to be taken, where data breaches occur that are likely to result in serious harm. The assessment, remediation, notification and other processes that need to be carried out are significant as are the penalties for non-compliance with the new privacy regime (up to $2.1 million for corporations). Australian entities can therefore no longer turn a blind eye when it comes to preparing for and acting when notifiable data breaches occur. These new laws are notable for cloud service providers which ‘hold’ personal information. Under the Australian Privacy Act, Australian entities can ‘hold’ personal information by having the possession of that information through physical or electronic possession and may also ‘hold’ personal information through having control of it – for example by having the right or power to deal with the personal information (despite not physically possessing or owning the medium on which it is stored). It is likely that any cloud services provider will be deemed to ‘hold’ personal information stored on its physical or virtual computer servers.
 
To add to the regulatory red tape that the new Australian laws provide, from 25 May 2018, a new regulation is coming into effect known as REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). The GDPR, although a regulation of the European Union (EU), has far reaching consequences for Australian organisations that provide goods or services not only to EU citizens – but to any persons while they are in the European Union and the monitoring of the behaviour of any persons in the EU. Australian cloud service providers, including data hosting providers, software-as-a-service (SAAS) and other online platform operators typically permit access to their cloud services by persons from anywhere in the World with an internet connection, including when their Australian end user customers log on from Europe. Non-compliance with the GDPR carries with it even bigger penalties – the greater of 4% of a company’s annual global turnover and €20 million.
  

Common questions

When does the Notifiable Data Breaches Scheme come into effect?

It already has. It came into effect on 22 February 2018.

Does the GDPR apply to Australian cloud providers?

Article 3 of the GDPR makes it clear that the GDPR applies to organisations that provide goods or services not only to European Union (EU) citizens – but to any persons while they are in the European Union. It also applies to the monitoring of the behaviour of any persons in the EU. This includes many Australian cloud service providers, including data hosting providers, software-as-a-service (SAAS) and other online platform operators who typically permit access to their cloud services by persons from anywhere in the World with an internet connection, including from Europe.

When does the GDPR come into effect?

25 May 2018.

Does the GDPR really prevent cloud providers from engaging upstream hosting providers? 

Yes, unless the GDPR is complied with when engaging them.

How much free legal advice does this Kit come with?

This Basic Cloud Services Privacy Kit comes with 30 minutes of free telephone legal advice from Arnotts Technology Lawyers. During this time, Arnotts will answer any questions they can about the templates, to the extent possible within the 30 minutes allocated.

 

Why Use DocuStream?

  • Quick and easy
  • Customisable
  • Comes with free legal advice
  • Download in Microsoft Word format
  • Apply your own branding
  • Comes with 1 year of free updates
Buy Now

Need help selecting a template?

Call us on

02 8238 6989