From: Shoosmiths (UK)
Author: Aisling Duffy
According to a recent article by Shoosmiths, the cloud software market generated $22 billion in revenue in 2011, and expects growth to $67.3 billion by 2016
Alongside the benefit of cloud computing, however, lies a lack of transparency for cloud customers, causing legitimate concerns about how they can comply with the Data Protection Act 1998 (DPA).
Thrown into this mix, of course, is the latest attempt by the European Commission (EC) to protect privacy rights and provide a uniform approach to data protection with the General Data Protection Regulation.
Although the EC is not looking to implement the Draft Regulation until 2014, the Information Commissioner’s Office (ICO) has released Guidance on the use of cloud computing, in an attempt to address some of these concerns and hopefully shed light on the best approach for cloud customers to take.
Data protection in the cloud
In the world of cloud computing, the cloud provider will, in most cases, be the data processor, passively processing the data, for example, by storing it on its platform.
Depending on the type of cloud used, the cloud provider’s responsibilities could include providing infrastructure, physical security of the premises, operating system and network security.
The cloud customer, on the other hand, will be the data controller, actively processing the data for its own business purposes. Depending on the service model used, its responsibilities could include controlling the virtual infrastructure and any application security.
Although the parties both process data and hold certain obligations as a result, the ICO treats the cloud provider as an extension of the cloud customer, only having the responsibilities of both a data controller and a data processor if acting as a data controller ‘in its own right’.
Because the cloud customer determines the purpose and manner in which the data is processed, the onus is placed on the cloud customer to ensure that the cloud provider complies with the DPA.
In the event of a breach by the cloud provider involving the cloud customer’s personal data, all liability and enforcement action would be directed towards the cloud customer.
What does this mean in practice?
It was recently reported by Europa that 80% of cloud customers achieve an IT costs saving of at least 10-20%, and of these, 20% reporting savings of 30% or more.
Despite this economic benefit, however, failure to comply with the DPA could see a penalty engulfing some or all of this benefit. Penalties for breach of the DPA are seeing fines reaching up to £325,000 making headlines that ‘name and shame’ the cloud customer.
On top of this, the cloud customer could risk their client relationship and overall reputation as a result of the breach. It will be of no further comfort to cloud customers that the Draft Regulation proposes that the current maximum fine of £500,000 be replaced by 2% of the organisation’s global annual turnover.
Best approach to take
Although there is no ‘one size fits all’ approach to data protection compliance, the ICO highlighted the following in its Guidance:
Assess the cloud computing service
The cloud customer should strategically review the type of cloud computing offered (e.g. private, community, public or a hybrid cloud) and the service model required (e.g. Infrastructure as a Service, Platform as a Service or Software as a Service). The ICO emphasises that it is the cloud customer’s choice as to the type of cloud computing it uses and therefore its responsibility to choose that which will allow it to comply with the DPA.
Review the personal data
Different types of personal data will require different measures to be put in place to protect it as the level of protection required will depend on the volume and nature of the personal data and the likely damage that would arise in the event of a breach. Carefully select and categorise the type of data being processed, including any metadata that is collected as a result. If the data is sensitive then the cloud customer should require the information to be encrypted. Alternatively, consider removing sensitive personal data (or indeed all personal data if possible) from the data being transferred. If all personal data can be made anonymous or removed prior to transfer into the cloud, that is even better.
Understand the proposed service model
How will the personal data be processed by the cloud provider? What are the risks and how can they be mitigated? This is especially important to consider when the cloud customer is dealing with cloud providers who are based or who store data outside of the European Economic Area, as in those circumstances steps must be taken to ensure that ‘adequate protection’ is in place to protect it. Ultimately, it is up to the cloud customer to conduct a privacy impact assessment and to form a view on the adequacy of protection afforded to data held in the cloud.
Select the appropriate cloud provider
The cloud customer should ensure that the cloud provider has sufficient physical, technical and organisational security in place. Appropriate contractual assurances to this effect should be obtained but comprehensive due diligence and continuous monitoring is also essential if the cloud customer is to make an informed decision on whether or not the model is compliant with the DPA.
Obtain informed consent
Whether it is a new or an established client, the cloud customer will require consent from its client to process the personal data for the specified purpose. In order to ensure that the consent obtained is ‘fully informed’, certain information will have to be communicated to them. In particular, the client should be informed as to how their personal data will be protected, where it will be stored and who it will be disclosed to. Clients should also be provided with clear instructions as to how to opt out of the process. The Draft Regulations also propose a right to be forgotten, which will need to be considered.
Having a contract in place in place with the cloud provider is essential. It should cover issues such as confidentiality, access control, transfer, deletion, recovery, training and audit requirements as well as security and restrictions in terms of the purposes in which and manner in which the cloud provider can process the personal data. In practice, it is best to avoid non-negotiable terms and conditions, as they might hinder the cloud customer’s ability to comply with the DPA. If necessary, consider using a different provider.
Monitor and review
As mentioned above, the responsibility for ensuring that the personal data is processed in accordance with the DPA, and liability under the DPA remains with the data controller. Cloud customers should therefore continually monitor the cloud provider’s activities in order to ensure that it is complying with its obligations under contract. Reviewing the process and assessing the provisions of the contract will help bring to light necessary areas of improvement in the cloud computing service.
If nothing else, this Guidance has highlighted the fact that liability under the DPA at all times remains with the cloud customer as data controller in respect of the personal data it transfers to the cloud.
It also highlights what is expected from cloud customers in terms of enforcing and monitoring the compliance against the cloud provider.
What is clear, however, is that with the growing popularity of cloud computing and the savings it offers coupled with the significant changes that will be introduced by the Draft Regulation, we will no doubt see a noticeable increase in the administrative burden that this arrangement presents – for both data controller and data processor.