May 21, 2014
Hands up if your company outsources IT storage and/or processes. Storage services like Google Drive or Dropbox, or remote computing and hosting offered through Google Apps or Amazon Web Services are extremely popular not only with SMEs, but with all sizes of companies. Many companies depend on applications like Gmail, Salesforce, BaseCamp and Xero to run key business processes. Perhaps your company has even deployed Google’s Chromebook devices.
These are all examples of services delivered through the “cloud,” which is simply a marketing term for services delivered via remote access. They can be hardware or software based, but the essential part is the physical separation between access and processing/storage.
While there are great benefits to cloud computing, this separation introduces new business risks, including data privacy compliance. This article will review some of the key issues businesses must consider regarding cloud computing and data privacy.
Privacy laws are developing rapidly and apply wherever you have customers
The first principle to appreciate is that data privacy laws apply in the jurisdiction where your customer lives, not only in the domicile of your company. For many U.S.-based companies, the most onerous data privacy policies to which they are subject come from the European Union, not the U.S.
The EU Data Protection Directive 1995 (the “Directive”) requires member states to implement its principles into local legislation. The primary emphasis of these principles is transparency and consent; the data subject must provide consent to the collection, storage and processing of his or her personal information for the purpose identified when obtaining consent. Consent can be obtained through the use of an online data privacy notice, which requires the data subject, the person whose information is being collected, to agree to its terms. But beware, these policies are undergoing intense scrutiny in the EU to ensure consent is limited to a specific use and is given freely.
The Directive’s principles also prohibit transfers of personal information out of the EU unless the receiving country ensures adequate levels of data protection as determined by the European Commission. This can be tricky when using a cloud provider since cloud providers or their servers can be located anywhere. It is your responsibility to know where the personal information collected is being transferred and/or processed.
Outsourcing functions doesn’t outsource legal responsibility to protect customer data
When it comes to cloud computing, by outsourcing certain processes you are not absolving your company from complying with data privacy laws. In fact, operating in the cloud introduces another layer of review for your internal compliance because you must evaluate your cloud computing provider’s compliance with the laws to which your company is subject.
While this advice should sound reasonable, normally SMEs don’t have the internal expertise or resources to make a proper review. Such tasks can be assigned to independent auditing and legal firms, for example.
Data privacy policies are often an afterthought for many companies, particularly startups and SMEs, let alone making time to put in place a reliable process for ongoing compliance monitoring. Even mid-sized companies would find it hard to justify hiring a full-time expert to monitor data privacy compliance.
One way to address this resource constraint is to outsource the duties of a data protection officer. This provides a permanent resource on standby, rather than contracting for specific purposes with a specialist who will only deliver a one-time report.
The cost and efficiency benefits of the cloud are obvious, and pervasive broadband connectivity makes it more feasible than ever to operate the IT aspects of your business in the cloud.
With the heightened consumer awareness of the impact of data breaches, non-compliant companies are exposing themselves to the potential for significant fines. Already, the EU has fined Google, Facebook and other leading companies as test cases. While such companies attract the most scrutiny due to their high profiles, the rules are universally applicable to companies operating in the EU.
But when your business stores personal data on someone else’s servers a degree of control over this sensitive data is lost. Beware, data privacy laws do not permit the cloud user to shift the risk of violation solely to the cloud provider. Staying compliant with data protection laws around the world will require you to ensure that any cloud provider also abides by the same regulatory and legal requirements.
The key data privacy principle is disclosure.
Wendy Kennedy Esq. is an international attorney and practice leader with Interstice Consulting, specializing in data privacy issues. She edits the International Business, Trade and Taxation blog and is co-author of the eBook Data Privacy: A Practical Guide published in April 2014. Her Twitter account is @wkcantab.