With increasing numbers of organisations moving to the cloud, it is important that businesses fully understand that even in new technological environments they still have to remain compliant with data protection legislation.

 

Using cloud computing solutions in your business can provide some significant benefits in flexibility and reduction in costs, particularly in terms of hardware and software and just generally in terms of IT expenditure. However, if you are using a CRM system or a marketing database system that is cloud based and it holds all your customer and prospect data how do you ensure that you are holding that data in line with your obligations under the Data Protection legislation

 

As the customer of the cloud computing service provider is likely to be deemed the data controller, the obligations contained in the legislation rest with you and you are therefore responsible for the actions of both the service provider and the cloud provider. One of the key issues in this then is how you can ensure that the service provider and cloud provider comply with the applicable data protection law?

 

To help with this situation the Information Commissioner’s Office (ICO) has recently published guidance that helps businesses by setting out the potential risks, detailing practical steps for customers to follow when selecting a cloud provider and it will serve as an important reminder to companies that they remain responsible for personal data, even when it is passed to cloud network providers.

 

A summary of the key points in the Guidance are detailed below:

 

New Guidance on Cloud Computing from the Information Commissioner’s Office (UK)

Underlying principles  

The guidance begins by addressing the application of the rules contained in the Data Protection Act (DPA) to the processing of information in the cloud. The DPA covers all ‘personal data that is processed’. As ‘processing’ is defined very widely it will include most operations occurring in the cloud, including the simple storage of data.

 

The distinction between data controller and data processor can sometimes be murky; this is particularly true for cloud computing. The guidance runs through the three main types of cloud deployment model (private, community and public) and considers which role will be filled by the customer and provider. As the cloud customer will be making decisions on the purposes and manner in which the data are processed, it will generally be the data controller and therefore be ultimately liable for compliance with the DPA. However, the precise role of the cloud provider should be reviewed on a case-by-case basis to determine whether it is processing personal data to such an extent that it could be operating as a data controller in its own right.

 

The guide then highlights the following key areas, which should be considered by companies looking to move the processing of personal data to the cloud:  

 

Codification of the relationship

  • The DPA requires the data controller to have a written contract with the data processor, which includes obligations on the processor to “act only on instructions from the data controller” and to “comply with security obligations equivalent to those imposed on the data controller itself”. Many cloud providers offer ‘take it or leave it’ terms and conditions when signing up to the service. Therefore, cloud customers should take care to check that any terms of service allow them to retain sufficient control over the data to avoid falling foul of their DPA obligations.

Auditing/Monitoring the cloud provider

  • As the DPA requires data controllers to take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data”, companies should be careful when choosing a cloud provider and ensure that the provider offers sufficient guarantees about their technical and organisational security measures, which should also be precisely spelled out in the contractual documentation.
  • An audit (including an inspection of the provider’s premises) should be carried out to review the security measures of any potential data processor. However, the ICO recognises the logistical difficulty of multiple customers conducting individual audits. Therefore, the guidance recommends that the cloud provider instruct an independent third party to conduct a detailed security audit of its service, which can then be made available to prospective customers.
  • Where cloud services are layered, this assessment should include assurances that the security of any sub-processor complies with the same security requirements set out by the cloud provider.
  • Customers should recognise that their obligations as data controller do not end once the cloud provider is selected. Ongoing monitoring, review and assessment is necessary to ensure that the service is run properly as set out in the terms of the contract.

Protection of data

  • Data ‘in transit’ between endpoints should be encrypted to ensure that it is secure and protected from interception. The encryption algorithm should meet recognised industry standards.
  • It may be appropriate for cloud customers to use encryption on data ‘at rest’ (i.e. stored within a cloud service). When making this decision, the sensitivity of the data should be considered along with the type of processing undertaken in the cloud.
  • Care should be taken when using an authentication process to allow users to access data remotely and a clear policy should be put in place to dictate the situations where the cloud provider may access the personal data.
  • There is an increased risk when a single cloud provider acts as a data processor for multiple cloud customers in a multi-tenancy environment. Robust safeguards should be put in place to prevent any data ‘mix-ups’.

Data retention and deletion

  • The DPA contains specific provisions that deal with the deletion of data. Cloud customers should ensure that the cloud provider can delete all copies of personal data within a timescale in line with the customer’s own deletion schedule. This may be complicated by the fact that cloud providers often maintain multiple copies of data for resiliency reasons.

Further processing

  • Under the DPA, personal data should be obtained only for specified and lawful purposes and should not be further processed in any manner incompatible with those specified purposes. The contract for the provision of the cloud service should therefore prevent the cloud provider from using the data for any of its own purposes.
  • The ICO notes that a number of Software as a Service (SaaS) products are supported by targeted advertising based on the personal data of cloud users. Cloud providers should be careful to get specific authorisation for this from the cloud customer and the customer should ensure that their own end-users are fully aware of how their data are being processed.

Using cloud services from outside the UK

The DPA imposes restrictions on personal data being transferred outside of the EEA. Therefore, cloud customers should request from a potential provider a list of countries where data are likely to be processed along with the safeguards in place in each location.

Source Bird and Bird’s Data Protection and Data Privacy group