In this second part of our two part article on cloud computing, we will deal specifically with data protection and security, two issues which are consistently raised by those in the cloud computing industry and their customers.
As discussed in our previous article, the evolution of traditional information technology services from local infrastructure to cloud computing introduces new legal issues and nuances arising from the different nature of these services. Many businesses are entering this new realm of cloud computing cautiously, attracted by the potential benefits that flow from such a service.
Many businesses will only enter into contracts with cloud providers once they have received both technical and legal assurances with respect to data protection and security. While an industry standard is required regarding these concerns, there are a number of issues which both cloud providers and businesses should always bear in mind when entering into contracts.
The very nature of cloud computing almost certainly will involve the processing of personal data. Businesses should seek assurances from the cloud provider that personal data will be processed in compliance with applicable data protection legislation.
Businesses, as data controllers, are entrusting their personal data to the cloud provider as a data processor and must ensure that the cloud provider has appropriate technical and organisational measures in place in order to prevent unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data.
Transfer of Data
Sharing and transferring data within the ambit of a cloud can create legal issues surrounding the general restrictions on transfers of personal data outside the European Economic Area (EEA). Businesses should be aware of the fact that it is very difficult to determine the geographic location of specific data within the cloud environment.
Cloud providers and businesses need to have adequate safeguards in place. These include US Safe Harbor Certification, Model Contracts and Binding Corporate Rules.
Data security is a key requirement for businesses, regardless of the nature of the data being stored by the cloud provider. A data security breach or data loss can have significant reputational and financial repercussions for businesses. Businesses should negotiate adequate security measures with a cloud provider prior to handing over data.
Purely as a starting point, both cloud providers and business should consider the following in order to assist in developing a security policy:
- Access Controls
- Anti-Virus Software
- Automatic screen savers
- ISO/IEC 27001 Certification
By being aware of these issues and by negotiating these aspects adequately in a cloud computing contract, both cloud providers and businesses can achieve the necessary standard of compliance and minimise exposure to risk in the event of loss or damage occurring.
For further information, please contact David Cullen or Marie McGinley of our Technology & Commercial Contracts Department.