According to a recent study it can be assumed that more than 50% of companies worldwide will use at least one public cloud platform. In Germany, even 66% of companies rely on cloud computing services. The corresponding outsourcing of processing capacity, storage capability and obligations is one of the major drivers for the online “data explosion”. The European Commission also recognised that the use of cloud computing services substantially benefits the European economy. However, from a legal perspective, it is not relevant whether you are using the cloud solutions of Microsoft, Oracle, Amazon, IBM or any other company. In this article, I want to talk about 10 crucial steps you should consider on your journey into the cloud.
1. Implementation of an IT project management
Did you know that 52 per cent of all IT projects are only completed with little success? 19 per cent even result in a complete failure. Considering that most IT projects involve six-figure costs, this is rather shocking. The solution: A clearly documented and sophisticated IT project management. Planning, implementation, controlling, communication and resource management processes are essential – irrespective of whether you are dealing with a sequential or agile project or whether you apply the “scrum” methodology. An orderly process involves time and money, however, chaos even more. Due to an established rule of thumb it makes sense to implement an IT project management process in connection with a contract value exceeding EUR 15.000.
You should clearly define the essential requirements of your business. Which storage capacity, data transfer rate, security standards, flexibility, licences are necessary in connection with the business model? Is your current IT infrastructure compatible with the preferred cloud solution? Is it necessary that the systems provide for high availability and can they be implemented? Would you agree to data transfers to third countries? Is there already an established exit scenario? How do you prevent “lock-in” effects? How important is usability? Do you want to use standard or custom-made software? Is your business partner financially sound? As soon as you have a clear idea about the technical, organisational, business, security specific and legal issues, you should define the corresponding specifications.
3. Cloud versus data processing centre
Regarding to business and security specific issues it should be clarified whether the company’s data should be stored in the cloud or “on premise” at its own data processing centre. In particular, the requirements of the security of the property (physical protection against unlawful access, video surveillance, principle of double control, security personnel), requirements of the system’s failures safety (redundant hardware, network connections and electric power lines), backup strategies as well as the prevention of cyber-attacks should be carefully considered.
4. Data security
Does your contractor ensure an adequate level of data protection? Does the level of data protection comply with the state of the art? In order to assess these requirements, it is possible to some extent to rely on IT specific certificates. ISO 27001 is of particular importance in practice. ISO 27018 contains “the cloud relevant rules”. However, certificates can only be an indication that the requirements have been met by the respective applicant. Consequently, the customer should regularly review whether the contractor actually complies with these standards by conducting an on-site audit. The relevant contractual arrangements should expressly provide for such audit right. In this regard it should also be mentioned that the customer can also be liable for “his or her” contractor (i.e. the cloud service provider) – even if this is only based on negligence.
5. Drafting of the cloud computing agreement
The relevant agreement should be prepared once the issues described in chapters 1 to 4 have been duly considered. Please note that the use of “standardised templates” is not recommended. A typical cloud service agreement includes the following:
- description of services;
- granting of licences;
- audit rights;
- process in connection with change requests;
- limitations of liability;
- country-specific provisions;
- jurisdiction clause;
- contractual term;
- data protection provisions;
- termination rights.
6. Negotiation of the cloud computing agreement
If standardised cloud computing agreements are used, the contractor will generally use his or her templates. It is difficult, however, not impossible to deviate from such agreements. Thus, it is important that your company only becomes “dependant” on the contractor at the latest point possible. The “more confident” the contractor feels, the less likely will he or she be willing to agree any deviations from the standard template.
7. Drafting and negotiating of service level agreements
To the extent the contractor shall not only be responsible for the infrastructure but also for the ongoing maintenance on behalf of the customer (Software as a Service), a maintenance agreement should be concluded prior to entering into a cloud computing agreement. So called service level agreements should clearly define the services of the contractor. If the contractor is not able to ensure the agreed “uptime”, the customer should be entitled to a contractual penalty irrespective of the contractor’s fault or (as this is common practice) to so called “service credits” (i.e. credit notes).
8. Licence agreements
The software provided by the contractor is in general copy right protected. Consequently, the cloud computing agreement must specifically determine who is authorised to use the software, the extent to which, and in which manner, it can be used. A corresponding license management system should be used in order to have an overview of the currently used software licenses. If such system is not implemented, potential subsequent claims for licence fees due to insufficient licensing might be life-threatening to the business in the event of an audit by the contractor.
9. Data processing agreement
The customer shall only instruct contractors (cloud services providers) with the processing of personal data, which provide for suitable safeguards that appropriate technical and organisational measures for the protection of personal data are implemented. To the extent the contactor processes personal data on behalf of the customer (e.g. storage), the parties must enter into a data processing agreement in accordance with Art 28 GDPR. A data processing agreement will in general be required in connection with SaaS arrangements ("Software as a Service"). In case of “mere” IaaS (“infrastructure as a Service”), it must be assessed for each individual case whether a data processing agreement is required. In connection with the selection of the contractor the customer can also be liable due to fault when selecting an agent. A regular on-site audit of the contractor is thus highly recommended.
10. International transfer of data
In the course of cloud computing projects personal data are regularly transferred to third countries. Any country, which is not a member state of the European Union (including Lichtenstein, Norway, Iceland), is considered a third country. The European legislator assumes generally that third countries (including the USA) do not ensure an adequate level of data protection. A customer must consider whether (i) it is justified to transfer data to a third country and, if yes, (ii) how to ensure an adequate level of data protection in such third country. Adequacy decisions, privacy shield certifications and standard data protection clauses are of particular importance in connection with ensuring an adequate level of data protection.