It is a common misconception that it is not possible to identify the location of data on the cloud. This should be considered in two strands:
- Where the data is stored or hosted at rest; any reputable cloud provider will be able to give you this information.
- Where data can be accessed from (including remote access). This may be more difficult, but following the Schrems II decision, providers are being forced to track this information in order to comply with data protection requirements.
The UK General Data Protection Regulation includes requirements about the processing and storing of personal data in the UK and European Union, and places conditions on the transfer of personal data to third countries (i.e. those outside the UK and/or European Economic Area (EEA)). It is recommended that you consider where your cloud provider will process, store, and transfer your data, and try to keep this within the UK and/or EEA, since this will greatly simplify the process and reduce the risk of breaches of the UK GDPR. Where data is processed, stored or transferred outside the UK and/or EEA, you should ensure that your cloud provider does this in accordance with requirements under data protection laws in relation to international transfers of data (for example, under the Standard Contractual Clauses).
Also, be sure to identify where data would be transferred to or accessed from for support, backup, maintenance or disaster recovery purposes. You will require to carry out a transfer impact assessment and put in place appropriate safeguards if data will be processed in a third country that is not deemed to offer adequate safeguards.
You should ensure that your cloud provider offers a practical method of moving your data back to you or to another provider on demand. You should ensure that:
- there is a clear procedure – with firm timelines – for the return of data in the event you cannot obtain the data yourself;
- there is an obligation on the provider to make available/return the data in a usable format;
- the provider does not delete data on termination of the services without giving you a reasonable opportunity to recover the data.
Bear in mind that a solicitor has a responsibility to provide certain data to the Law Society and Scottish Legal Complaints Commission on request, and failure to do so could be a conduct issue. You may also be required to provide data in response to other legal requests, for example, subject access requests and repossession requests, or from HM Revenue & Customs, lenders under panel appointment arrangements, law enforcers, and the UK Information Commissioner’s Office (ICO). Your contract should therefore provide for the return of your data on demand, in a readable and understandable form, even if your organisation is in breach of the terms it has in place with the provider, or if your organisation is in a dispute (for example, regarding charges).
When data is deleted it is rarely removed entirely from the underlying storage media unless some additional steps are taken. In addition, a cloud provider is likely to have multiple copies of data stored in multiple locations to provide a more reliable service. This may include backup tapes or other media not directly connected to the cloud.
You should therefore consider the provider's data retention policy and ensure that the provider is only keeping data for specific purposes (such as to provide the cloud services or to meet regulatory or legal requirements). How, for example, will the provider's retention policy protect you and allow recovery for, say, an accidentally deleted email that contains important client information? In addition to regulatory requirements to retain data, and any undertakings that you may have given in the course of business to retain access to data and files, you must also consider proper disposal of data once these agreed time periods have expired. Ad-hoc deletion requirements should also be considered (particularly in the context of the right to be forgotten for data subjects contained in data protection legislation).
Depending on the service and the answers to your diligence questions, you may wish to consider regularly backing up the data held in the cloud and storing it locally. This will have technical and cost implications but reduces the risk of being denied access to your data and makes the transfer to another supplier more straightforward. If you do hold a backup locally, you should check regularly that it is working correctly by creating a test file, deleting it and restoring it from your backup.
You should also check your contract for the frequency the cloud provider will back up your data to a separate site. You should be aware of any period where your data will not be backed up and will therefore be ‘lost’ should the cloud system fail. Also, it is important to check that ‘loss of data’ is not excluded from liability. You should ensure that a cloud provider will stand behind any requirements it commits to, to back-up and securely host your data.
Your cloud provider should give assurance that your information will be treated as confidential and not used or disclosed to third parties. In terms of intellectual property, you should retain full ownership of the data stored on your provider's system. You should also have an explicit right to get your data back on demand. Also consider any intellectual property created during provision of the cloud service, which may be particularly relevant where interfaces are created between a cloud provider's systems and your applications. These would be valuable from a business continuity perspective if you were to look for a new provider or bring services back in-house. You should look to retain ownership (or broad usage rights) in those interfaces if possible. Generally, cloud providers do not to give indemnities or performance warranties for third party elements of the technology stack, with certain licences being on a ‘commercially off the shelf’ basis with no room to negotiate.
Given the central role that the transfer of data plays in cloud services, the treatment of data protection compliance must be considered. Generally, cloud providers are keen to emphasise that they will act only as data processors as they will not have visibility of, access to, or have any control over, the personal data that you store on the cloud. The UK GDPR places obligations directly on processors and controllers of personal data.. Any person “who has suffered material or non-material damage” as a result of an infringement of the UK GDPR has the right to claim compensation from either your organisation (as the controller) or the cloud service provider (as a processor). Accordingly, cloud service providers may seek their own warranties from you that adequate procedures are in place for data held in the cloud. You may also wish to consider seeking protections from the cloud provider that your data will be held securely and separately from other customer data held in the cloud.
In terms of the cloud agreement itself, where you are a controller and the cloud provider is a processor, the agreement should include provisions which cover the points set out in Article 28 of the UK GDPR. This includes the following:
- be sure that the provider's role as a processor is clear, and that the provider does not have the right to use any of the data as a controller for its own purposes;
- ensure that the provider only processes the data in accordance with your documented instructions (including in relation to transfers). For transfers outside of the UK/EEA, there is now a requirement to conduct a transfer risk assessment to ensure you are satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime (and put in place adequate safeguards from a technical, contractual and operational perspective to ensure this);
- ensure that anyone who has access to the data is subject to confidentiality obligations (including the provider’s staff, and those of any sub-processors);
- the provider must agree to assist you with data subject rights as set out in the UK GDPR (including the right to be forgotten, the right to data portability and the right to restrict processing), otherwise you could find yourself unable to comply with these requirements. Globally there is an increase in more comprehensive legislation on data privacy with greater awareness of privacy rights by individuals, especially in light of Schrems II. This has led to a corresponding increase in complaints and demands to exercise privacy rights.
• the provider must seek prior specific or general authorisation to the use of any sub-contractors it engages that will process your data (and provide you with a right to object to any proposed updates);
- the provider must assist you with auditing or inspecting its compliance with data protection laws;
- the provider must have adequate security arrangements in place, adequate safeguards and a mechanism to notify you of personal data breaches, with enough detail and including in enough time to allow you to notify regulators or data subjects within the legal time limits (see below).
You should also consider the effects of data protection impact assessments, which are mandatory for any high-risk processing. You should ensure that the cloud provider undertakes to assist you with completing your assessments and, where necessary, engages in any consultations required with the ICO.
The contract must set out in specific detail the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
The UK GDPR places a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. In the event of a notifiable breach involving your client data, this may have to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. As such, you should ensure your supplier has a duty to notify you as soon as becoming aware of any breach and that they are required to co-operate with you to mitigate and resolve the breach and prevent future incidents occurring.