The many advantages of cloud-based computing are evident to many organisations. At the same time, however, it should also be evident that moving data into the cloud brings with it a new set of regulatory compliance issues. It is also worth considering the relevance of the implementation of GDPR next year.
With this in mind, here are three key questions you need to ask before signing any contract to make the move to the cloud.
The internet may be without boundaries, but the EU is quite clear on the fact that personal data may only be moved outside the EU when adequate safeguards are in place to protect it. And, while we hate to sound repetitive, the penalties for inadequate data security are about to get a whole lot more severe.
Because of this (and the need to protect your reputation), you need to know a lot more than just which country will house the hardware on which your data will reside; you need the address of the premises and a clear understanding of what level of security it provides. This includes the systems and processes it has in place to prevent against attacks. Self-certifying to the Privacy Shield will help to make sure you (or your cloud computing provider) are complying with international transfer protocols under US and EU laws.
Data is most vulnerable when it is in transit, which means that you need to ensure that there is an appropriate level of security in place from end to end. What appropriate means in practical terms depends on how sensitive your data is.
If it’s data that is already public, then you may value speed of transfer over the maximum security, but if the data is commercially sensitive, or if it is personal, then you want the absolute highest level of security.
If your business holds data that is exceptionally sensitive, such as health-related information or legal documents, you may decide that it needs to stay on your own premises, in which case you would still have the option of moving it to a cloud-based system, just one over which you had full control (both physically and logically) and one that would probably have significant access restrictions.
It’s at this point that you really need to start looking at the nitty-gritty details with your potential provider. The reason each of these headings includes the phrase “my data” is because, in the eyes of the law, that’s exactly what it is. Your data controllers should always be in charge of your data, even if they delegate responsibility to external parties.
This means you need to have service-level agreements (SLAs) in place for anything and everything that matters and, ideally, you want the right to conduct audits (preferably unannounced ones) of their compliance (rather than have them self-certify).
You should also look for providers that have a clear incident response plan for alerting you to any issues with the data they host.