A significant proportion of the data that a law firm may look to place in the cloud will relate to clients. Clients will have expectations that this data is held securely and safely, and in accordance with regulatory requirements and any engagement terms.
Unless specifically prohibited by the engagement letter, no specific client consent is required to make use of cloud providers where the law firm is acting as a data controller. However, if the personal data is going to be processed by the cloud provider outside the European Economic Area (EEA), it will be necessary for the law firm to satisfy itself that the security arrangements proposed are compliant with the General Data Protection Regulation (GDPR), and that the GDPR requirements relating to international transfers of personal data are met.
Where the law firm is acting as a data processor, it will require the client's specific consent to the use of cloud providers, which can be given either in the engagement terms themselves, or by separate written instructions.