More and more businesses are making the transition from local disc storage to cloud-based storage systems. As a result the issue of cloud storage security has assumed greater prominence than ever. Essentially cloud storage involves harnessing a cloud storage provider’s hardware (often based in a remote physical location) to store your data. You can then access the data through the internet.
There are many advantages of storing data on the cloud. For example, you’ll reduce your data storage and management costs and there’ll often be less chance of losing data. However many of the businesses we work with have expressed concerns that they could fall foul of GDPR compliance requirements by storing data on the cloud. This could possibly be because there is a perception of a loss of control over data once it is on the cloud. Here we examine some of the main issues to consider about cloud storage and GDPR.
You might find it useful to read our comprehensive guide to GDPR compliance for business alongside this article.
- Is cloud storage GDPR compliant?
- What should you think about when adding personal data to the cloud?
- What are the challenges of cloud computing and GDPR?
- Are cloud storage providers data processors or data controllers?
- What to look out for when choosing a cloud storage solution for your business
- How to prevent data breaches with cloud storage
Is cloud storage GDPR compliant?
A significant percentage of UK businesses have adopted the cloud for data storage and a range of other purposes. It’s crucial for those organisations to satisfy themselves that the cloud system they use is GDPR compliant. So long as data on the cloud is processed and controlled in accordance with GDPR then there is no reason why your organisation should fall foul of data protection laws.
Bear in mind that GDPR strengthens the rights of individuals considerably: data subjects now have greater access to their data, and they have much more of a say over how their data is used. So whatever data storage system you use, you must ensure that the data remains easily accessible and that you have well-documented reasons for processing it.
What should you think about when adding personal data to the cloud?
Cloud service companies as data processors will already have thought through the implications of data protection law and data storage. But liability for data breaches will ultimately rest with you as a data controller. So before agreeing to use a cloud storage provider’s services take the time to satisfy yourself that the provider is the right fit for your organisation and your data storage requirements.
Here are some things to consider when using the cloud for data storage:
Data sovereignty – do you know where your data is held?
Most platforms will offer a choice of locations to store data. GDPR specifies that data must be stored within the EU or in a jurisdiction where a country outside the EU offers an adequate level of data protection. Currently, the European Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. It has further adopted two adequacy decisions for transfers of personal data to the UK.
To ensure GDPR compliance, it’s necessary then to check that your cloud provider has a storage facility within the EU or in a country that has laws compatible with GDPR. In the US (where many cloud services are based) a divergence in approach to data protection law from the approach taken by the EU resulted in the introduction of an EU/US Privacy Shield. However, this was invalidated by the Court of Justice of the European Union (CJEU) on 16 July 2020 in the case of Facebook Ireland v Schrems, (Schrems II). The court determined that in certain cases, it enables access by the US government to personal data which results in insufficient protection of EU personal data.
Check for compliance with GDPR principles relating to individuals
You must be able to provide individuals with their information in a usable format when requested. In addition, the data must be capable of being erased and can only be used for the purpose for which it was originally processed.
Have you met the legal requirement of ‘data protection by design and by default’?
GDPR strengthened the previous requirement of protection by design by requiring companies to consider data protection and privacy issues in everything they do. Successful compliance with this requirement is largely down to comprehensive staff training. Many high profile data breaches have been the result of a failure by staff to secure data on cloud services.
What are the challenges of cloud computing and GDPR?
We’ve already pointed out some of the issues that arise when storing data on the cloud.
It’s all about assessing risk: What data will be held on the cloud and how do you intend to process it? More importantly, how do you intend to keep it safe?
Different cloud providers offer services that are geared toward particular industries and sectors. Rather than create a bespoke service that may increase risks it may be preferable to use a service that has been tried and tested by companies similar to yours.
Be wary though of a service provider who will not allow you to modify the way it will process and safeguard the data you entrust to it: You will normally still be the controller of data that you place on the cloud, and liable for any breach as a result. It’s therefore essential to get the right agreement with the cloud provider and regularly monitor how the provider is performing and how your contractual arrangements are being complied with.
Are cloud storage providers data processors or data controllers?
Whether a cloud storage provider is a data processor or data controller will depend on the agreement that is in place. Under GDPR, controllers exercise overall control of the data being stored. They decide what the purpose for holding the data is and will specify how the data is processed. Processors always act for the controller – and crucially, processors act on the controller’s instruction. So when considering whether a cloud storage provider is a controller or processor it’s necessary to examine the nature of the provider’s role. Often the cloud storage provider won’t collect any information of its own and contractually won’t be able to use any of the data for its own purposes (meaning it’s a processor). But if the provider decides what data to process and why, it is a controller. Conversely if it’s your organisation that takes control of the data (usually the case) then you will be the controller.
The distinction is important because data controllers and data processors have different responsibilities and liabilities – particularly when a data breach is recorded. Well-known cloud storage providers like Dropbox will usually have very clear information for potential customers on their websites indicating that they are normally processors of customer data and not controllers.
What to look out for when choosing a cloud storage solution for your business
Selecting a suitable cloud storage provider is fundamental to ensuring your data is secure and the risk of any data breach is minimised. Many of the larger providers will offer limited scope to change their usual contractual terms so you should carry out an assessment of the different providers to ensure you choose the best storage solution for your business.
- What security measures does the provider have in place in relation to the data it stores? As we have seen responsibility for preventing unlawful processing and accidental loss of data ultimately lies with you as the controller, so you need to be satisfied that any provider has adequate security procedures in place.
- How can you ensure ongoing compliance with the guarantees given by the provider on security and other issues? Check that you will be able to verify – on a regular basis – that the provider is complying with the security assurances provided. For practical reasons, reviews like this will usually be carried out by an independent third party who will then publish an assessment that’s available to all customers of the cloud storage provider.
How to prevent data breaches with cloud storage
As cloud storage becomes more and more prevalent it’s important to remember that the nature of cloud computing and storage means it’s not risk-free. Some of the most serious data breaches in recent years have been from cloud-based storage systems and have involved some of the biggest global corporations, including Apple, Microsoft and Yahoo. Here are some steps to take to minimise the chances of being affected by a data breach when using cloud storage:
- Get a written contract setting out responsibilities of the cloud storage provider
- Assess your data: What data are you placing on the cloud and how is it going to be processed?
- What guarantees of confidentiality is your provider giving you?
- What processes are in place at the cloud storage provider to deal urgently with any identified breach risk?
- How will the provider deal with issues like data retention and destruction?
- Can the cloud provider give you easily readable data at short notice?