Data protection and cloud computing
Data protection and privacy are often considered key risks when storing personal data in a cloud. The risks to your data in the cloud include:
- loss or damage by your service provider and their staff
- unauthorised disclosure or access
- malicious activities targeting your service provider - eg hacking or viruses
- poor security practices compromising data protection
Before choosing a cloud computing service, you should carry out a risk assessment of these hazards and their potential impact on your business.
Cloud and data protection laws
If you store or process personal data in the cloud, you will most likely have the overall responsibility for complying with the General Data Protection Regulation (GDPR).
Under the data protection laws, a cloud customer is usually viewed as a data controller if they determine the purposes for which and the manner in which the data is being processed. You are therefore likely to have the responsibility for how the data is handled, even if you don't have full control over the cloud.
As a data controller, you must ensure that:
- any processing of personal data is secure, even if this processing is being carried out on your behalf by a cloud provider
- data isn't transferred outside of the European Union area, unless the destination country and the circumstances of transfer provide adequate level of protection
- you have a written contract in place with your provider and their agreement to apply a high level of security to the data and only process this data in accordance with your instructions (eg delete it on request)
You will also want to establish:
- what level of responsibility the provider will assume for the security, functionality and continuity of service
- whether there are any provisions for compensation in the event of a security breach
If a cloud provider doesn't offer you assurances regarding the security or location of their service, it may indicate that they don't put enough onus on data protection and the risk of falling foul of data protection legislation may be higher than necessary.
Levels of data protection
Service providers operate - and usually host - all the server requirements for a cloud computing system. These can include database management systems for data-intensive applications, such as those required for e-commerce or customer relationship management.
High levels of data protection are necessary for such applications, and you should check your contract or service level agreement carefully to find out what security measures your provider takes to protect your data.
See more on cloud security.
ICO Helpline0303 123 1113