1
CLOUD COMPUTING:
The Legal Aspects of Keeping Your Data Safe and Compliant
Brian MillerSenior Associate, IP & IT
Stone King LLP
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
2
CLOUD COMPUTING AND WEBSITE SECURITY
Cloud computing is the name given to the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet).
(Wikipedia)
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
3
(1) Security
If cloud provider not using adequate security, data never safe: Adequate firewalls Adequate encryption
Data Protection Act, Seventh Principle: “Appropriate technical and organisational measures shall
be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data“
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
4
Obligations are on both:- The data processor (the cloud provider) The data controller (your organisation)
No due diligence => you could be liable if breach
Personal data accessible by a third party=
Breach of the Data Protection Act
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
5
2) Who Are You Contracting With?
• May be a number of providers involved• sub-contractors must be bound by same standards of
– Security– Confidentiality
• Main provider needs to carry can for subcontractors
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
6
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
Where is My Data?
If data stored or transferred outside EEA, 8th Principle requires adequate security measures to be in place:
• “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
7
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
Where is My Data?
8th Principle
Means of ensuring adequate protection:
1.model clauses signed up with contractor
2.US: entity on Safe Harbor List
Transfer without consent = breach of the Act
8
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
Where is My Data?• ICO recommends getting
• list of countries where data is likely to be processed• details of the safeguards in place
• ICO requires a written contract with your processor, specifying that the processor:• may only use and disclose the personal data in
accordance with your instructions• must take appropriate security measures to protect
the data• gets your consent to transfer the data outside the EEA
• Ico
9
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
How Secure is My Data
Can A Supplier Read My Data?• No guarantees they won’t unless contract says so• Technically necessary?
Prevention• Encryption• Ensure adequate level
10
LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD
Data Breaches
Consequences of breach:• Fine of up to £500K
• Trustees (unincorporated charity) personally liable get an indemnity from charity
• Civil actions from data subjects• Get cyber liability insurance
11
CONCLUSION & SUMMARY
THREE THINGS TO REMEMBER…
If you put your data in the cloud, make sure you carry out IT and legal due diligence on your provider to check that:
• their systems are secure• data is kept confidential• It is not transferred outside of the EEA without
your and your customers’ consent.
12
Brian MillerSenior Associate
IP, IT & CommercialStone King LLP
[email protected] @theitsolicitor
brianmillersolicitor 0207 324 1523
For further information about cloud computing, please see the following article on Stone King’s website:
•Is Your Website Legally Compliant