Site   Web

May 21, 2014

Cloud Computing Raises Data Privacy Issues

Cloud Security
Photo Credit: FutUndBeidl via flickr

Hands up if your company outsources IT storage and/or processes. Storage services like Google Drive or Dropbox, or remote computing and hosting offered through Google Apps or Amazon Web Services are extremely popular not only with SMEs, but with all sizes of companies. Many companies depend on applications like Gmail, Salesforce, BaseCamp and Xero to run key business processes. Perhaps your company has even deployed Google’s Chromebook devices.

These are all examples of services delivered through the “cloud,” which is simply a marketing term for services delivered via remote access. They can be hardware or software based, but the essential part is the physical separation between access and processing/storage.

While there are great benefits to cloud computing, this separation introduces new business risks, including data privacy compliance. This article will review some of the key issues businesses must consider regarding cloud computing and data privacy.

Privacy laws are developing rapidly and apply wherever you have customers

The first principle to appreciate is that data privacy laws apply in the jurisdiction where your customer lives, not only in the domicile of your company. For many U.S.-based companies, the most onerous data privacy policies to which they are subject come from the European Union, not the U.S.

The EU Data Protection Directive 1995 (the “Directive”) requires member states to implement its principles into local legislation.  The primary emphasis of these principles is transparency and consent; the data subject must provide consent to the collection, storage and processing of his or her personal information for the purpose identified when obtaining consent.  Consent can be obtained through the use of an online data privacy notice, which requires the data subject, the person whose information is being collected, to agree to its terms.  But beware, these policies are undergoing intense scrutiny in the EU to ensure consent is limited to a specific use and is given freely.

The Directive’s principles also prohibit transfers of personal information out of the EU unless the receiving country ensures adequate levels of data protection as determined by the European Commission.  This can be tricky when using a cloud provider since cloud providers or their servers can be located anywhere.  It is your responsibility to know where the personal information collected is being transferred and/or processed.

The EU is currently working toward adoption of a more robust data privacy regulation.  This new regulation will impose stiffer requirements around obtaining consent, create new access and control options for data subjects and impose more severe penalties for non-compliance. This new regulation could be effective as soon as 2015.  Given the ever-increasing legal requirements and complexities arising from data privacy laws globally, engaging an outsourced data privacy officer to bring specific expertise and focus to develop and implement your data privacy policy or to complete periodic data privacy audits and ensure compliance is a simple answer.

Outsourcing functions doesn’t outsource legal responsibility to protect customer data

When it comes to cloud computing, by outsourcing certain processes you are not absolving your company from complying with data privacy laws. In fact, operating in the cloud introduces another layer of review for your internal compliance because you must evaluate your cloud computing provider’s compliance with the laws to which your company is subject.

At a minimum, this requires you to review the basic business processes of your cloud service provider, and should be done prior to entering into any contracts. Your review should also include the locations where they process and store your customer data. In addition, examine the cloud provider’s privacy policy, security, redundancy practices and disclosure policy. If you identify areas of concern that would potentially expose your company to the risk of noncompliance with your relevant data protection laws, push for changes to the provider’s terms and conditions.

While this advice should sound reasonable, normally SMEs don’t have the internal expertise or resources to make a proper review. Such tasks can be assigned to independent auditing and legal firms, for example.

Formulating your data privacy policy and monitoring compliance

Data privacy policies are often an afterthought for many companies, particularly startups and SMEs, let alone making time to put in place a reliable process for ongoing compliance monitoring. Even mid-sized companies would find it hard to justify hiring a full-time expert to monitor data privacy compliance.

One way to address this resource constraint is to outsource the duties of a data protection officer. This provides a permanent resource on standby, rather than contracting for specific purposes with a specialist who will only deliver a one-time report.

Your data privacy policy should be carefully thought out in view of the laws in all relevant jurisdictions in which your company operates either directly or via your cloud service providers. It would normally be documented on your company’s website, and you should collect positive evidence of each customer’s acknowledgement of its terms.

The DPO can assist not only with writing your data privacy policy and in documenting compliance, but also in training employees and delineating procedures to follow in case of a data breach.

Wrapping up

The cost and efficiency benefits of the cloud are obvious, and pervasive broadband connectivity makes it more feasible than ever to operate the IT aspects of your business in the cloud.

With the heightened consumer awareness of the impact of data breaches, non-compliant companies are exposing themselves to the potential for significant fines. Already, the EU has fined Google, Facebook and other leading companies as test cases. While such companies attract the most scrutiny due to their high profiles, the rules are universally applicable to companies operating in the EU.

But when your business stores personal data on someone else’s servers a degree of control over this sensitive data is lost. Beware, data privacy laws do not permit the cloud user to shift the risk of violation solely to the cloud provider. Staying compliant with data protection laws around the world will require you to ensure that any cloud provider also abides by the same regulatory and legal requirements.

The key data privacy principle is disclosure.


avatar

Wendy Kennedy Esq. is an international attorney and practice leader with Interstice Consulting, specializing in data privacy issues. She edits the International Business, Trade and Taxation blog and is co-author of the eBook Data Privacy: A Practical Guide published in April 2014. Her Twitter account is @wkcantab.

css.php