Fundamental to use of the cloud is data - where it's stored, access, retention, and other factors, all have to be considered.
It is a common misconception that it is not possible to identify the physical location of data on the cloud; any reputable cloud provider will be able to give you that information.
The General Data Protection Regulation, requirements that come into effect in May 2018 to ensure proper procedures for processing and storing personal data in the European Union, places conditions on the transfer of personal data to third countries (i.e. those outside the EEA). It is recommended that you give consideration to requiring your cloud computing provider to store your data within the EEA, since this will greatly simplify the process and reduce the risk of breaches of GDPR.
Also, be sure to identify where data would be transferred to for backup, maintenance or disaster recovery purposes; your protections in the EEA would be undermined if data was accessed from, or transferred to, a non-EEA country in the event of an outage or force majeure event.
You should ensure that your supplier offers a practical method of moving your data back to your premises or to another provider on demand. You should ensure that:
- there is a clear procedure – with firm timelines – for the return of data in the event you cannot obtain the data yourself
- there is an obligation on the supplier to make available/return the data in a usable format
- the supplier does not delete data on termination of the services without giving you a reasonable opportunity to recover the data
Bear in mind that a solicitor has a responsibility to provide certain data to the Law Society and Scottish Legal Complaints Commission on request, and failure to do so could be a conduct issue. You may also be required to provide data in response to other legal requests, for example, subject access requests and repossession requests, or from HM Revenue & Customs, lenders under panel appointment arrangements and law enforcers. Your contract should therefore provide for the return of your data on demand, in a readable and understandable form, even if your firm is in breach of the terms it has in place with the provider, or if your firm is in a dispute (for example, regarding charges).
When data is deleted it is rarely removed entirely from the underlying storage media unless some additional steps are taken. In addition, a cloud provider is likely to have multiple copies of data stored in multiple locations to provide a more reliable service. This may include backup tapes or other media not directly connected to the cloud. Copies of personal data stored in a cloud service may also be stored in other forms, such as index structures.
You should therefore consider the provider's data retention policy. How, for example, will the provider's retention policy protect you and allow recovery for, say, an accidentally deleted email that contains important client information? In addition to regulatory requirements to retain data, and any undertakings that you may have given in the course of business to retain access to data and files, you must also consider proper disposal of data once these agreed time periods have expired. Ad-hoc disposal requirements should also be considered (particularly in the context of GDPR and the right to be forgotten, as discussed below).
Depending on the service and the answers to your diligence questions, you may wish to consider regularly backing up the data held in the cloud and storing it locally. This will have technical and cost implications, but reduces the risk of being denied access to your data and makes the transfer to another supplier more straightforward. If you do hold a backup locally, you should check regularly that it is working correctly by creating a test file, deleting it and restoring it from your backup.
You should also check your contract for the frequency the cloud provider will back up your data to a separate site. You should be aware of any period of time where your data will not be backed up and will therefore be ‘lost’ should the cloud system fail.
Your cloud provider should give assurance that your information will be treated as confidential and not used or disclosed to third parties. In terms of intellectual property, you should retain full ownership of the data stored on your provider's system and have an explicit right to get your data back on demand. Also consider any intellectual property created during provision of the cloud service, which may be particularly relevant where interfaces are created between a cloud provider's systems and your applications. These would be valuable from a business continuity perspective if you were to look for a new provider or bring services back in-house. You should look to retain ownership (or broad usage rights) in those interfaces if possible. As regards usage rights in the data, please see the section below on GDPR.
You should ascertain your provider's willingness to be subjected to audits by independent security certification authorities. Some providers advertise certification summaries on their data quality and data security.
A number of industry self-certification schemes exist but it is not yet clear which represent a true ‘gold standard’ so they should be treated with appropriate care when selecting cloud providers.
Given the central role that the transfer of data plays in cloud services, the treatment of data protection compliance must be considered. Generally, cloud providers are keen to emphasise that they will act only as data processors. With the implementation of GDPR, obligations will be placed directly on data processors for the first time. Any person ‘who has suffered material or non-material damage’ as a result of an infringement of the GDPR has the right to claim compensation from either your firm (as the controller) or the service provider (as a data processor). Accordingly, cloud service providers may begin to seek their own warranties from you that adequate procedures are in place for data held in the cloud.
In terms of the cloud agreement itself, the key points are set out in the GDPR and include the following:
- be sure that the supplier's role as a data processor is clear, and that the supplier does not have the right to use any of the data as data controller for its own purposes
- ensure that the supplier only processes the data in accordance with your documented instructions
- ensure that anyone who has access to the data is subject to confidentiality obligations (including the data processor's staff)
- the supplier must agree to assist you with relation to data subject rights as set out in the GDPR (including the right to be forgotten, the right to data portability and the right to restrict processing), otherwise you could find yourself unable to comply with these requirements
- the supplier must seek your consent to the use of any sub-contractors it engages that will process your data
- the supplier must have adequate security arrangements in place and a mechanism to notify you of breaches, including in enough time to allow you to notify regulators or data subjects within the legal time limits (see below)
You should also consider the effects of data protection impact assessments. Previously, such assessments were regarded as a matter of good practice but, under GDPR, they will be mandatory for any high-risk processing. You should ensure that the service provider undertakes to offer assistance to complete your assessments and, where necessary, engages in any consultations required with the Information Commissioner's Office.
Under GDPR, the provider will have a responsibility to understand and keep an inventory of the data they are processing. In addition, the contract itself must set out in specific detail the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This may lead to more debate about the allocation of risks and require greater due diligence before a contract is agreed.
The e-Privacy Directive currently provides breach notification obligations for the providers of an electronic communications service, such as cloud service providers. This means that your service provider should:
- Inform subscribers about the risk of a breach of the security of the network, and in certain cases of the possible remedies;
- Notify a personal data breach:
- within 24 hours after detection (where feasible), to the competent national authority; and possibly
- without undue delay, to the subscriber or individual, when the personal data breach is likely to adversely affect the privacy of such person.
GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. Therefore, in the event of a notifiable breach involving your client data, this may have to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. As such, you should ensure your supplier has a duty to notify you as soon as becoming aware of any breach.