Article by Avv. Felix Hofer 1
The increasing – not to say booming – popularity of cloud computing has induced the Italian DPA to provide businesses processing personal data in the context of their activities with specific guidelines for the correct handling of such data when making use of cloud services.
To the purpose the DPA has offered guidance by providing users of cloud services with ten golden rules, which may be summarized as follows:
Make sure that you're dealing with a reliable provider, having proven experience in supplying cloud services and disposing of adequate technical capacity.
You're handing over some of your most valuable assets to a third party and want to have them kept safe, confidential and easy to access at any time. Therefore quality of the service and technical capacity of the cloud service provider as to connectivity and recover strategies should be a crucial factor in the choice of your business partner. His will to share a certain level of co-liability for damages eventually occurring gives you an indication on how confident the provider himself feels about the quality of his services.
2.- Data Portability.
Give your preference to cloud service providers relying on standards and formats allowing an easy switch between different cloud systems.
Data portability reduces significantly your risks of terminating a not satisfying business relationship and grants a better balance in negotiation when the provider proposes (or unilaterally proceeds to) modifications in the terms of its services. You'll avoid critical lock-in situations.
3.- Data Control.
Your contract needs to grant actual availability of the cloud services and constant access to your data at any time.
Bear in mind that if continuous effectiveness of a cloud service is not granted, such failure will affect not only your business, but also third party interests (e. g. those of your clients). Therefore always insist on sufficiently frequent back ups of all the data you transfer to the cloud.
4.- Data Selection.
Reserve proper attention to the nature of the data you upload to the cloud and to their level of 'sensitiveness'.
Some of your data may need to be kept strictly confidential (e. g. because relating to patents or know-how or because containing information as to health, race or political views of the individuals such data refer to). Transferring sensitive data to the cloud obviously results in less control on them and therefore in increased risk. As you won't be able to foresee all kinds of potential data losses or breaks, consider your liabilities before outsourcing sensitive data.
5.- Keep constantly an eye on your data in the cloud.
It's not over when the contract is signed, you need to be consistent in controlling the quality of the cloud services provided to you.
You'll have to check whether your data transferred to the provider are physically remaining with your contracting partner or whether they actually end up at the disposal of third parties (e. g. of a provider's sub-contractor or supplier). Frequently providers rely on third parties as to storage capacity; in such case safety measures and recover strategies will depend on the capacities of such third parties. This aspect needs to be considered in your contract.
6.- Data Location.
Find out in advance whether the cloud service provider will process and store your data locally or within the territory of the EU or outside of Europe.
It's crucial to know where your data in the cloud will be stored. Location will determine obvious legal implications as to jurisdiction and applicable law; it'll also determine the level of protection granted to your data. Therefore make sure that you have always your saying with respect to further transfer of data to third countries (safety measures and standards in the country of data's final destination are clearly of crucial importance).
7.- Terms and Conditions of the cloud service provided.
Carefully check all terms and conditions contained in the contract you're signing with the service provider.
Pay special attention to the provisions on liability in case of data losses or of their illicit diffusion. Consider the terms for terminating the contract and insist for clear conditions as to service quality and functioning. The aspects most crucial to your business should be assisted by penalties. Check for eventual co-liability of sub-contractors.
8.- Duration and Modalities of Data Storage.
Your contract with the cloud services provider should contain specific obligations both for the duration of data storage as well as for data's cancellation.
Legitimate data processing has generally to comply with the principles of 'adequacy' and 'proportionality'; in other terms, data shall be collected and stored exclusively for the uses initially revealed to data subjects and shall be kept no longer than strictly necessary for the purposes of their initial collection. You need therefore to be in a position that allows you to obtain timely cancellation of the data transferred in the cloud.
9.- Safety Measures.
In the light of adequate data protection and with respect to confidentiality expectations you need to perform an in-advance check of the safety measures offered by the provider.
It's therefore advisable to rely on providers who adopt adequate safety measures for storing and transferring your data. Access control and encryption techniques should be granted (especially for sensitive data).
10.- Staff Education and Training.
Staff, both of your company as well as that of the provider, assigned to data processing in the cloud should always undergo adequate initial education and periodical training in order to keep employees up to date with respect to the obligations and the liabilities implied by data handling.
Only properly educated staff will contribute to limiting the risks of illicit processing, undue access to data, their accidental loss or their illegal diffusion. Education and training should focus on technical developments in IT as well as on procedural aspects. The risk of illegal or fraudulent conduct performed by employees is equal to that of prejudicial consequences deriving from staff's negligence, ignorance or accidental errors.
(as per August 2012)
1.Felix Hofer is a named an founding partner of the Italian law firm Studio Legale Hofer-Loesch-Torricelli, in Firenze (Italy), via Giambologna no. 2/R; he may be reached through the following contact details: E-mail: firstname.lastname@example.org (personal account) – email@example.com (firm account).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.