Privacy in the Cloud – roles and responsibilities

Frank Madden of IBM reports on how his company manages the different roles of controllers, joint controllers and processors on the Cloud.

The roles and responsibilities of Controllers, Joint Controllers and Processors on the Cloud have caused some concern for organisations wanting to comply fully with laws such as the EU GDPR,(1) the California Consumer Privacy Protection Act (CCPA) and/or Brazil’s General Data Protection Law (LGPD).


A Controller, alone or jointly with others, determines the purpose and means of Processing.(2) The purpose is the “why” of Processing, while the means is the “how”.
When IBM provides Cloud services, the customer acts as the Controller. They determine the “why” of Processing – e.g., storing end-user Personal Data (PD) /Special Categories of Personal Data (SCPD) – and choose IBM as a Cloud provider. Therefore, the Controller also decides the “how”.

Continue reading

International Report subscribers: please login to access the full article.

If you wish to subscribe, please see our subscription information.