How to ensure your cloud computing is legally compliant
Cloud computing is an integral part of many modern businesses. From simple software such as Office 365 to SharePoint and Azure, cloud computing provides a range of organisational and logistical benefits. With all this data, however, comes a range of responsibilities.
All of the data used and generated by cloud software comes with added responsibilities, however. Businesses using cloud computing solutions need to ensure that the data they use is being stored and transferred securely. Failing to do so may mean substantial penalties, both in terms of the law and their reputation.
Securing the Cloud
Cybersecurity is a growing issue, and something even large corporations struggle to manage. As your business grows, so too does the amount of data you handle, and the number of ways it can be accessed. With cloud computing, the convenience of being able to access it anywhere also carries some risk. You not only have to manage the security of the data you store in the Cloud, but the many devices and locations you access that data from.
Cloud computing does offer some inherent security benefits, with the ability to host files on a remote server, separate from your internal network. However, it also brings complications. While your company remains accountable for data stored on remote servers, the management of security risks is often transferred to a third party. This means you have to be particularly vigilant about security, and choose your cloud service provider extremely carefully.
Complicating this are the variations in legal requirements. Typically, data use is governed by the regulations of the country it is stored in. However, the EU’s General Data Protection Regulations (GDPR) complicate this. While aspects of GDPR apply to EU companies and citizens, businesses must also comply with GDPR if they store data belonging to EU citizens, regardless of where the business or Cloud server is located.
Cloud computing & GDPR
GDPR was designed as a way to wrestle back some control of data from businesses who had abused their previous freedoms, and to hand that control back to users. Under GDPR, businesses have to be much more transparent in the way they collect data, informing customers and visitors to their website which data they are collecting and why. They must also make that data accessible to users, and promptly delete it if requested.
This creates a few challenges for cloud computing. With most cloud services handled by a third party, businesses must take steps to ensure that those external cloud service providers are fully compliant with GDPR and other local data protection laws. This includes:
- Ensuring that European customer data is handled distinctly from other data;
- Knowing where cloud data is stored and processed (this is complicated by data often being sent between numerous servers);
- Collecting only ‘necessary’ data, as outlined by your data policy;
- Strictly controlling the collection of ‘special’ data (e.g. ethnicity or sexual orientation)
- Ensuring that data is only used for the reasons outlined in your data policy;
- Ensuring that data can be quickly accessed and deleted as needed.
Ensuring cloud compliance
An ideal implementation of cloud computing will integrate it closely with your business, such that accessing data on your own network or servers and accessing it in the Cloud are practically indistinguishable. As such, ensuring that your cloud computing solution complies with data protection laws means ensuring that all the data you access and manage is compliant. Putting the right frameworks in place to manage risks will help to protect all the data you are responsible for, wherever it resides.
This should start with the application of at least one risk management framework for your data. This framework should define your ‘information assets’ – all of the types of data you manage (databases, financial information etc) – so that you are cognisant of the varying risks posed to each form of data, and each storage medium. Your framework(s) should also outline an auditing process, management procedures, IT oversight, and continuity planning in the event of an outage, security breach, or cessation of your cloud computing services.
A range of ISO standards, certifications and attestations can help you to put together your risk management framework, and guarantee that your cloud service provider and other IT partners are legally compliant. Common options for general data protection include ISO/IEC 27001: Information Security Management, and the more general ISO 9001: Quality Management Systems. You may also adopt a risk management framework specific to cloud computing, such as ISO/IEC 27017: Cloud Specific Controls, or apply for the CSA Security Trust Assurance and Risk attestation.
By working with an ISO certified IT service provider, you can kill two birds with one stone. The service provider can administer your cloud computing services with the guarantee of compliance, and can help you to apply a framework that complies with ISO standards. In this way, both organisations act as a check on the other; your staff are trained to manage and audit data correctly, both on your networks and in the Cloud, and the service provider helps you to build a risk management framework, and to apply it effectively.
By working with a service provider that holds general quality and information management certifications, you can ensure that both your internal data and cloud data are being managed properly, with both parties aligned to common standards. The systems you put in place will provide oversight from both parties, ensuring that compliance is ongoing, that systems are held to and followed through on, and that all staff manage data properly and effectively.
Sota can help businesses to implement both public and private secure Cloud solutions, including our own independent SotaCloud platform, and the popular Microsoft Azure. To learn more about our various Cloud offerings and how to ensure that you comply with data protection laws, contact Sota today.