Cloud Technology: Is my Data Secure?Posted in : Business Legal on Data Security on 7 February 2018
This month’s data protection video, brought to us by David Fagan, Head of Business Legal, commercial lawyer and data protection expert, focuses on cloud technology.
David outlines the issues that arise with cloud technology, identifying frequent challenges such as the storage and security of data. David provides guidance on transferring data to the cloud, asking the important questions, for example, whether adequate safeguards have been put in place, whether model clause contracts are in existence and whether consent to transfer the data has been sought. He considers a number of technical issues that are encountered when dealing with data security and makes a number of recommendations when transferring data to the cloud, referring specifically to control and the advantages and disadvantages of data encryption.
Note: David Fagan is speaking at Legal-Island's SOLD OUT Data Protection Update: Ensuring your HR Department is GDPR-Compliant conference on 6th March 2018 in Dublin. If you would like to join the reserve list for this event, please complete the short form on the event page.
Dealing with the Cloud. The first thing to be said about the cloud is that in reality the data protection principles or privacy principles are the same. In a sense it is essentially an arrangement between a data controller and a data processor. The reality may be more complex but in essence the same laws apply. The new General Data Protection Regulation has been drafted with the cloud in mind, but even as things stand, the cloud is captured by existing data protection rules.
The real issue with the cloud is knowing where your data is. At the moment, you need to know where your data is in order to comply with the current regulations, and that will continue. There was an issue of inequality of bargaining power, for instance, you may be a small data controller, and you may have contracted with Amazon or Google or Microsoft, these are very, very large providers and your ability to negotiate terms with those can be quite restricted, even though they are the processor and you are the controller. All of the obligations currently fall on you as the controller. There are limited obligations falling on the processor. The General Data Protection Regulation is going to increase the obligations on data processors.
There can be an issue of multiple subcontractors and multiple jurisdictions. It's not uncommon for mirror sites to be set up, so that your data is in fact being processed not in a jurisdiction, but in several jurisdictions. At the moment, you have liability for the transfers of that data, at least initially, and you should also be aware that you may have liability under model clause contracts, for instance, for further transfers of that data.
So some of the issues that arise with the cloud for a data controller are the issues of the storage of data and security. Sometimes people think that data is less secure in the cloud. But one way of looking at it is to consider whether you would consider the data more secure in a small organisation, perhaps your own organisation with, you know, 5 or 10 employees perhaps. Or perhaps whether you consider that data might just be more secure in an organisation, like Google or Amazon or Microsoft with very large IT security teams. The challenges are obviously different.
The security in the large organisations is much likely to be far superior to the security in the small organisation, but perhaps the threats and risks to the smaller organisation are much less. For instance, if you wish to transfer data to the cloud, you still have to comply with the general requirements of transferring data. You know, is it to a country with adequate safeguards, and if not, are there model clause contracts in existence? Are there binding corporate rules? Was consent to the transfer of that data sought? And these are issues for the data controller because it's the data controller that's liable. That is to say, the organisation that owns the data.
Some other issues are the technical issues that surround all data security. For instance, access control to another organisational controls. You will very likely have zero control over your data in the cloud. You have no way of knowing really what organisation of controls are in place to protect your data, and what technological controls are in place. You will most likely simply have to accept the assurances of the cloud provider.
So the recommendations when putting data into the cloud are really the same recommendations for data that is being sent to any other data processor, perhaps a data processor that's in the same city as yourself. The data controller ought not to relinquish control because the data controller remains liable. The data controller should try as best it can to ensure that any cloud computing that it contracts in should not give any rise to any risks, which wouldn't occur if the data controller had kept possession of the data themselves.
There’s a requirement for a written contract because the cloud provider is a data processor, and there is a requirement for a written contract between a data controller and data processor in order for the processing of data to be lawful in those circumstances.
One technological solution sometimes is to encrypt data before it goes to a cloud. This can create technical difficulties, as working with encrypted data can be more difficult, and sometimes it's technically not feasible, depending on the processing that's to take place. However, if data is encrypted before it goes to the cloud, and is only decrypted once it comes back, in essence, that removes the personal data element from it as long as the cloud provider does not have the ability to decrypt the data. It can often be a simple solution, a simple technological solution to a complex legal problem. Thank you.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.