Cloud modernisation has accelerated rapidly since the start of the pandemic. But just because a third party is looking after your data, this doesn’t mean you’re no longer responsible for protecting it.
This article will examine the fundamental relationship between cloud modernisation and data protection and explore the essential considerations for organisations hoping to reap the benefits of using cloud infrastructure.
The Rapid Acceleration of Cloud Modernisation
In April 2020—just weeks after most companies adopted remote-working practices—Microsoft CEO Satya Nadella said the company had seen “two years’ worth of digital transformation in two months,” as the use of cloud solutions suddenly soared.
A Flexera survey conducted the same month found that nearly 60% of companies expected to outspend their planned cloud infrastructure budget. The trend continued, with Synergy research suggesting that cloud infrastructure spending grew 39% between Q2 2020 and Q2 2021.
Public cloud infrastructure provides the flexibility many businesses need, whether operating remotely, on-site, or on a hybrid basis.
But while remotely storing or processing data brings convenience, using a cloud service provider comes with critical data protection and security considerations that must not be neglected.
Terms of Service
You’re in control of your company’s data, including the data you collect from customers, business partners, employees, and other stakeholders.
This means you’re responsible for conducting due diligence before choosing a cloud infrastructure provider. And if you fail to notice any non-compliance or poor practice on the provider’s part, you could be liable for any legal violations and data breaches that occur.
As noted by the United Nations Commission on International Trade Law, most countries balance legal liability toward the data controller (in this case, the company storing data in the cloud) and away from the data processor (the cloud services provider).
Before selecting a cloud service provider, read its terms very carefully. You should also conduct periodic reviews of any contracts you have in place with cloud providers and other data processors.
Check the provider’s service level agreement, and examine the contract for any limitations of liability or indemnity clauses—but realise that it might not be possible for you to exclude liability for your choice of provider if things go wrong.
Data Security Measures
You can’t assume that every cloud service provider will have the right security controls in place to keep your data safe—or to ensure you’re complying with the law. You are accountable for assessing a provider’s security protocols before you start sending them your data.
A good starting point when assessing a provider’s security controls is to check whether the provider is certified with a recognised framework or standard.
There’s a somewhat bewildering range of options for security certification, but among the best-respected come from the International Standards Organization, such as ISO/IEC 27001, or the cloud security standard, ISO/IEC 27018.
You could also check whether the provider is certified under a government-backed scheme, such as the UK’s Cyber Essentials programme.
However, it’s important to note that just because a cloud service provider adheres to a particular security standard, this doesn’t necessarily mean that using that provider will ensure you’re complying with your legal obligations under data protection or privacy law.
You’ll need to consider your legal obligations, which will partly depend on the type of data you’re processing in the cloud and the purposes for which you’re using the provider.
Conducting further due diligence will be necessary, such as requesting information about the provider’s specific security controls, checking that certifications are up-to-date, and asking for information about recent audits.
You also need to consider which security measures to take regarding the data you’re storing in the cloud. For example, some data may require anonymisation, encryption or pseudonymisation depending on the nature and purpose of the data.
Location of Infrastructure
Before selecting a cloud service provider, you’ll also need to consider the location of the provider’s data centres. Will you be transferring personal data across borders by using the provider’s infrastructure?
Transferring personal data to another country isn’t necessarily prohibited, but you’ll need to ensure you’re complying with any rules on international data transfers. Such rules are particularly strict in countries that have adopted the General Data Protection Regulation (GDPR).
If you’re covered by the GDPR and you’re transferring personal data to a provider based in a “third-country” outside of the European Economic Area, you’ll need to ensure you have appropriate safeguards in place so that third parties won’t access the data.
Once you’re set up with a cloud services provider, you’ll need to implement access controls to ensure that only the appropriate people can access data—both from outside your organisation and from within.
Developing an Identity and Access Management (IAM) policy is a good way to set out who has access to which resources in the cloud.
An IAM policy allows you to manage access to cloud resources by assigning principals (the users, groups, or domains that can access certain resources), permissions (the actions that certain principals can take) and roles (bundles of permissions assigned to a given principal).
A strict and organised approach to access management reduces the possibility of a data breach and brings you closer toward data protection compliance.