3 Points to consider before storing data in the cloud

Blogs March 6, 2016

IPR and Technology

Traditionally speaking, it is rather easy to establish the roles with regard to responsibility in controlling and processing data. The distinction between a controller and a processor as well as determining their tasks in most of the situations is generally graspable. However, this might not be the case in the cloud where understanding the responsibilities can be complex and challenging. It might be unclear who has the obligation to protect data in the cloud and this may lead to an unwanted situation where nobody is fully accountable in the event of a breach of rules.

In this environment of shared responsibility of a cloud, it is generally each party’s task to make the most from its side to keep the data safe. If we look at the situation from the cloud service consumer’s point of view, it is largely the question of how to save the files to the cloud and at the same time be sure that they cannot be accessed by unauthorised third parties. From the cloud service provider’s perspective, it is also important to ensure the confidentiality of the information in the cloud in order to build trust towards the services on offer. Additionally, service provider’s task is to build a safe infrastructure and fulfil its legal obligations.

In principle, it is in the interest of both parties to make the best use of the cloud, but it can never be forgotten that this kind of relations are also subject to threats that the human element in cooperation with cyberspace possesses. Hence, efforts from both sides are required for efficient results, and relying merely on the protection of law is probably not enough. As it might be difficult to determine the responsible party in every situation, account should be taken of the alternatives to minimise potential risks. Overcoming the insufficient responsibility issue that might occur from time to time due to the special essence of cloud computing, among other matters, one should:

  • Choose the service provider(s) carefully . A quick due diligence is a key as it helps to indicate the strengths and weaknesses of a specific cloud service provider. Depending on the needs, it might be a good idea to use different service providers simultaneously for various sets of data to achieve better protection and to reduce the risk of potential data leaks;

  • Go through the terms of use of cloud services with the service provider . It is generally the task of the provider of cloud services to present the terms and conditions for the use of the services in its cloud. If a service provider does not provide a solid agreement, one should be aware of the potential issues that might follow when the matters are not well regulated in the agreement. In any event, special attention should be drawn to the compliance with data protection laws and the allocation of responsibilities;

  • Create company’s internal policy regarding the use of cloud services . We cannot preclude the human element in dealing with data, but we can lay down rules on how data should be treated. Depending on the specifics, classification can be made, for instance, based on the sensitivity of data, according to which it can be decided if such data should be uploaded to the cloud or archived otherwise. Overall, it is about risk management, everyday analysis and decision-making on how to protect the data.

Exploiting new technologies, including cloud computing, in business is definitely something that can result in efficiency. Yet, it is quite true that law cannot always keep up with technological developments, causing bottlenecks in addressing the issues that relate to those rather rapid changes. By paying sufficient attention to the subject matter, it is possible to mitigate the risk and this, of course, should be done in every possible way, even if the cloud may be somewhat disobedient to the legal regulations.