PDPC issues cross-border data transfer guidelines for cloud services

Singapore’s Personal Data Protection Commission (PDPC) has issued advisory guidelines to help businesses and their cloud service providers (CSPs) better understand their obligations under the country’s data protection regime.

Speaking at the opening ceremony at Cloud Expo Asia 2019, Philip Heah, assistant chief executive of the Infocomm Media Development Authority (IMDA), said the guidelines centre on ensuring that data transferred across boundaries in a cloud environment will be protected.

“The new guidelines clarify the obligations of CSPs to protect personal data that is transferred overseas,” he said. “They also clarify how organisations adopting cloud services can comply with the Personal Data Protection Act (PDPA) through their selection of a CSP that is able to provide the necessary protection for personal data.”

According to the guidelines, issued on 9 October 2019, CSPs that process personal data on behalf of their customers are considered data intermediaries and subject to the protection and retention limitation obligations under the PDPA.

Also, an organisation that engages a CSP as a data intermediary to provide cloud services should ensure that the CSP only transfers data to locations with data protection regimes comparable to Singapore’s or has legal obligations to ensure comparable standards to protect the transferred data.

The PDPC said these requirements can be addressed in the written contract between an organisation and its CSP. The contract should deal with both the standard of protection and overseas locations where personal data could be transferred to, it said.

When processing personal data as data intermediaries, CSPs can turn to industry standards such as ISO 27001 and Tier 3 of the Multi-Tier Cloud Security standard, to provide assurance of compliance, the PDPC said.

In cases where a CSP’s contract with its customers does not specify the locations to which it may transfer personal data, organisations would have been considered to have taken steps to comply with the PDPA if the CSP meets industry security standards.

“For example, the organisation could consider engaging a CSP that is certified as compliant with the ISO 27001 standard and can produce technical audit reports such as the Soc 2 upon request,” it said.

Heah said that with evolving cloud business models, having clarity over how data is protected and managed is important for businesses to adopt cloud computing. “IMDA will continue to work closely with the industry on cloud native enablement and personal data protection,” he added.

In March 2019, the IMDA started the GoCloud programme to help small and medium-sized enterprise (SME) technology suppliers to re-architect traditional monolithic software or build new containerised applications.

Through training courses delivered by service providers appointed by IMDA, these suppliers can also learn more about building a DevOps culture within their organisations, harnessing automation tools to speed up application delivery and using cloud platforms to scale their business and serve new markets.

To date, more than 50 SMEs are participating in the GoCloud programme, said Heah. These include MuRho, a supply chain management software supplier, which is modernising its legacy applications into cloud-native services to reap cost savings and scale as it expands overseas.