Storing data on the cloud is an increasingly common business practice, however data protection law rules are mandatory and using cloud storage comes with various risks due to the UK GDPR compliance requirements.
In this article, we’ll explore some of the key issues for businesses to consider around cloud storage and UK GDPR compliance.
For further information about complying with data protection laws, see our comprehensive guide to GDPR compliance for business, alongside this article.
What is cloud storage?
Cloud storage, in simple terms, means using a virtual hard drive to save and store your files online, so files are stored in what is commonly referred to as ‘the cloud’. This means that the files are not stored on your local machine, but instead, are hosted remotely and can be accessed over a network. Once a file has been uploaded to the cloud, it can usually be accessed by any device which has an internet connection.
Common examples of cloud storage providers include:
- Google Drive
- Microsoft OneDrive
Cloud storage is a very flexible and convenient way for backing up files, and the risk of losing data is significantly reduced. However, using cloud storage also comes with risks – particularly around compliance with the stringent UK GDPR rules.
Some risks using cloud storage include the following:
- You will not be in control of the data stored in the cloud, so data security of the cloud provider is vital.
- If any personal data is held on the cloud, then stringent data protection law rules will kick in.
- If the cloud storage servers are located outside of the UK and EU, there could be serious risks around international data transfer laws.
- A contract is needed with the cloud storage provider, to ensure data held on the cloud is protected. See further information on this here. However, depending on the provider, negotiating contractual terms could be very hard, if the relevant provider pushes to apply its own standard service terms.
Is cloud storage GDPR compliant?
Many UK businesses have adopted the cloud for data storage and a range of other purposes. It’s crucial for those organisations to make sure that the cloud system they use is UK GDPR compliant. So long as personal data on the cloud is processed and controlled in accordance with UK GDPR rules, then there is no reason why your organisation should fall foul of data protection laws. However, in practice, this can be difficult as several rules will apply. For example, UK GDPR strengthens the rights of individuals considerably and data subjects have greater access to their data. So whatever cloud data storage system you use, you must ensure that the data remains easily accessible and that you can facilitate data subject rights requests under the UK GDPR.
Are cloud storage providers data processors or data controllers?
Typically a cloud storage provider will be a data processor, however this depends on how and why they use personal data.
Under UK GDPR, controllers exercise overall control of the data being stored. They decide what the purpose for holding the data is and will specify how the data is processed.
Processors always act on the controller’s instruction. So, when considering whether a cloud storage provider is a controller or processor it’s necessary to examine the nature of the provider’s role. Often the cloud storage provider won’t collect any information of its own and contractually won’t be able to use any of the data for its own purposes (meaning it’s a processor). But if the provider decides what data to process and why, it is a controller.
The distinction is important because data controllers and data processors have different responsibilities and liabilities under UK GDPR – particularly when a data breach occurs.
This is a critical point, as it will determine (amongst other things) which type of contractual terms you need to have in place and what they should cover. If you’d like advice on your specific arrangement with a cloud services provider and the roles of each party, please contact us.
Customer using cloud storage services – practical tips for UK GDPR compliance
Assuming your organisation is a data controller of the personal data you store on the cloud, here are some key tips, to ensure your use of cloud storage is UK GDPR compliant:
- Assess your data stored on the cloud right at the start. Understand what data you are placing on the cloud and how is it going to be processed. Note that if you control the data being placed on the cloud, you’ll likely be deemed the ‘controller’ of that data and be liable for any data breaches affecting it.
- Check which security measures the cloud storage provider has in place in relation to the data it stores. Selecting a suitable cloud storage provider is fundamental to ensure that your data is secure and that the risk of any data breach is minimised.For example, check if the provider has a team of security professionals to maintain its defences and build a security infrastructure. Check if they carry out third party, independent audits to provide verification of their security measures and check whether they are certified with any security standard frameworks, such as the ISO 27001 framework.
- Sign a written contract setting out the responsibilities of the cloud storage provider. The contract should include clauses promising to keep your confidential information and data secure. In particular, you should watch out for ‘limitation on liability clauses’ which seek to limit the provider’s liability for breaching UK GDPR – this can be high risk, particularly given the extremely high potential fines under the UK GDPR.
- Make sure you can ensure ongoing compliance with the guarantees given by the provider on security and other issues. Check that you will be able to verify that the provider is complying with the security assurances provided by them.
- Check how the provider will deal with practical issues around data subject rights and other UK GDPR rules. For example, how would they respond if an individual requests a copy of their data, held by the cloud storage provider? How will the provider deal with data retention and deletion?
- Take steps to prevent data breaches. For example, check what processes are in place at the cloud storage provider to prevent and urgently deal with data breaches.
- Check where the data will be stored. Will it be held inside the UK or in a country outside? UK GDPR specifies that data must be stored within the UK or in a country outside the UK which offers an adequate level of data protection. The same rules apply to when personal data is transferred outside of the EU. To ensure compliance, it’s necessary to check that your cloud provider has a storage facility within the UK or, if not, that the rules around international data transfers are followed. This is a complex issue, so please see our article on this for further information and contact us if you would like advice on this .
What to do if you’re a service provider, offering cloud storage services?
The key points above apply to customers using cloud storage providers. Cloud storage providers, on the other hand, also have several obligations under the UK GDPR which should not be overlooked.
For example, as a cloud storage provider you should:
- Assess your compliance with UK GDPR requirements and ensure you are acting in compliance with the mandatory legal rules which apply to your business.
- Review your data sets and services and consider if you act as a controller or a processor, including careful consideration of which data will be held on behalf of customers, how it will be stored, who can access it and how it will be protected.
- Consider where your data will be located and compliance with any international data rules arising.
- Ensure you have contractual terms in place with your customers, with appropriate data protection clauses.
- Ensure you have appropriate data security measures in place, to safeguard the personal data you hold on behalf of your customers and put measures in place to prevent personal data breaches.
- Consider how you would respond to data subject rights requests, for any personal data processed in the cloud.
- Consider if personal data held on the cloud can be properly erased when a cloud storage agreement with a customer ends.
- If required, ensure you conduct a Data Protection Impact Assessment and appoint a Data Protection Officer.
The UK GDPR responsibilities of cloud storage providers will depend on the types of personal data they hold and why it is used – please contact us if you would like specific advice on your cloud storage business and the rules which you need to follow in order to be compliant.
As we’ve noted, the use of cloud storage services presents several risks from a privacy law perspective. However, the UK GDPR rules are mandatory and both cloud storage customers and providers alike need to follow them.
If you would like legal advice on this topic, please contact our specialist team, who can assist with both data protection compliance advice and drafting negotiating cloud storage agreements to protect your business.