Skip to main content

Ten Questions to Ask Your Cloud Provider


The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs.
But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security. By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws.
Before you embark upon acquiring a business which uses cloud computing or are thinking of purchasing software which is cloud based, below are ten questions your organisation should ask the provider:
1.         Where will the servers be based on which our data would be stored?
2.         Is there any possibility of it being transferred outside the EU (assuming the servers are EU-based)?
3.         Do you use any subcontractors for the storing of our data and if so, who are they and where are they based; if any are based in the US, are they a member of the US Safe Harbor Scheme?
4.         Are you ISO 27001 and/or 9001 and/or 27017/8 certified and/or certified by any other data security organisation?  Please supply a copy of any relevant certificates.
5.         What other information can you send me to allay any concerns about the security of your systems?
6.         Have you ever had a security breach and was any client data lost or accessed?
7.         What other organisations do you supply your hosted system to? Can we see a list and can you supply up to three names of any that we can contact for a reference
8.         Would your organisation be prepared to enter into a data processing agreement?
9.         Can you please send me your terms of business and any other terms which we would have to sign up to in order to receive the hosted service?
10.      What is the position and process regarding the return of our organisation’s data, in the event that the agreement was terminated, came to an end or your organisation ceased to trade?
Brian Miller is a solicitor and partner and Lauren Mitchum a trainee solicitor at Stone King LLP, providing specialist advice in the fields of intellectual property, IT, data protection and commercial law.
If you would like further information about the Regulations or if you have any concerns or queries in relation to them, please contact Brian.

Disclaimer: This article may not be reproduced without the prior written permission of the author. This article reflects the current law and practice. It is general in nature, and does not purport in any way to be comprehensive or a substitute for specialist legal advice in individual circumstances.

Comments

Popular posts from this blog

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when