Data protection with cloud computing

Companies, authorities and institutions that typically used to process their data internally are now increasingly sub-contracting that activity to outside companies and are relying on cloud computing. There is no doubt that there are many advantages to this. However, it would be wrong to forget the data protection and technical risks that are associated with this process. We have therefore published an explanatory note on cloud computing which highlights the risks and sets out the requirements.

Although it is true that in all the discussions revolving around outsourcing and cloud computing the subject of data protection is regularly mentioned, it tends in many cases to be associated - wrongly - with data security. Although data security is undoubtedly an essential aspect, data protection in cloud computing goes a good deal further. Outsourcing data processing activities to a foreign «public cloud» often means that data protection requirements cannot be entirely guaranteed. Cloud providers do not as a rule disclose where the data are being processed. In many cases, data processing takes place in countries that do not have sufficient data protection legislation.

Therefore it is important that whenever data processing is to be carried out via the cloud, particular care needs to be taken in assessing the risks and in selecting, instructing and monitoring the provider. Important selection criteria should include a high degree of transparency on the part of the cloud provider with regard to the data processing and the guarantee of data security. As a rule of thumb, the more confidential, secret, important (because they are business critical) and sensitive (because they are worthy of protection) data are, the less they should be processed in the cloud, particularly a foreign cloud, and the stricter and more comprehensive the data protection measures and the supervision of their application must be. In the final analysis, the user of the cloud is the client, and therefore it is his responsibility to ensure that the data protection regulations are respected as he will be held responsible for any violations of an individual's privacy rights.

Our comments can be found here in German or French.