In a previous blog we considered the General Data Protection Regulation, its incorporation and potential effects following the result of the EU referendum. This article concentrates more specifically on the use of cloud services and gives an overview of current regulation surrounding its use. For a more comprehensive view please read more with our download ‘Cloud Services and the Data Protection Act 1998’.
What are Cloud Services?
Cloud computing is used to access data and resources on demand via computing networks. This can include storage, software and processing. The data is transferred to and from cloud providers to a private, community or public cloud.
Cloud Services and the Data Protection Act 1998 (“the DPA”)
The DPA regulates personal data which is processed and is likely to include most cloud services. The following steps should be carefully reflected upon to ensure compliance although it is important to note cloud computing is varied, in most cases tailored to the customer, therefore must be considered carefully in its own merits;
- Identify the data controller
The designated data controller will have the definitive responsibility for DPA compliance.
- Assess the risks and regular performance review
- Upon deciphering what data will be stored and a cloud provider, you must assess the specific risks and how best to mitigate them.
- Provide information and contract for use
The data provider should take appropriate steps to ensure the end users are aware of compliance information and the arrangements in place and a written contract is drawn up with the provider.
Which provider should I use?
Cloud provider selection is a significant part of ensuring DPA compliance. Currently the largest service providers and market leaders are Amazon Wed Services, Microsoft, IBM Cloud and SoftLayer, Google and Saleforce. Points to consider and be aware of are as follows:
Cloud Services outside of the UK
It is common practice for service providers to have data centres and resources outside of the UK. This can improve the reliability as all data is not stored or processed in one location, but can also mean precise location can be difficult to identify.
You should ask for a list of countries where data is to be stored or processed from your provider and the risk mitigating security provisions in place.
For further information read more with our download ‘Cloud Services and the Data Protection Act 1998’.