GDPR and the cloud
What will be the impact of the GDPR on cloud providers to legal firms? This article explains the points that should be covered in a service contract to ensure a firm's compliance
Location of data
Where you make use of a cloud solution, instead of your data being stored within servers in your own office, it will be located at the cloud provider's data centre(s). It is therefore crucial that you understand where your data are stored at any time. It is a common misconception that it is not possible to identify the physical location of data on the cloud; any reputable cloud provider will be able to give you that information in detail.
GDPR restricts the transfer of personal data outside the European Economic Area (EEA). In particular, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined, personal data may only be transferred outside the EEA in compliance with the conditions for transfer set out in chapter V of the GDPR. It is recommended that you require your cloud computing provider to store your data within the EEA, since this will greatly simplify the process and reduce the risk of breaches of GDPR.
Also be sure to identify where data would be transferred to for backup, maintenance or disaster recovery purposes; your protections in the EEA will be undermined if data will ultimately be accessed from or transferred to a non-EEA country in the event of an outage or force majeure event.
Access to data
You should ensure that your supplier offers a practical method of moving your data back to your premises or to another provider on demand. Key issues are:
- ensuring there is a clear procedure – with firm timelines – for return of data in the event you cannot obtain the data yourself;
- an obligation on the supplier to make available/return the data in a usable format; and
- ensuring the supplier does not delete data on termination of the services without giving you a reasonable opportunity to recover the data.
Bear in mind that a solicitor has a responsibility to provide certain data to the Law Society of Scotland and Scottish Legal Complaints Commission on request, and failure to do so could itself be a conduct issue. You may also be required to provide data under other legal requests, for example under subject access requests, repossession requests or requests by HMRC, lenders under panel appointment arrangements or law enforcers. The contract should therefore provide for the return of your data, in a readable and understandable form, on demand even if your firm is in breach of the terms it has in place with the provider or if your firm is in a dispute (for example regarding charges).
Retention of data
When data are deleted, they are rarely removed entirely from the underlying storage media unless some additional steps are taken. In addition, a cloud provider is likely to have multiple copies of data stored in multiple locations to provide a more reliable service. This may include backup tapes or other media not directly connected to the cloud. Copies of personal data stored in a cloud service may also be stored in other forms such as index structures.
You should therefore consider the provider's data retention policy. How, for example, will the provider's retention policy protect you and allow recovery for, say, an accidentally deleted email that contains important client information? In addition to regulatory requirements to retain data, and any undertakings that you may have given in the course of business to retain access to data and files, you must also consider proper disposal of data once these agreed time periods have expired. There may also be ad hoc disposal requirements to be considered (particularly in the context of GDPR and the right to be forgotten).
Depending on the service and the answers to your diligence questions, you may wish to consider regularly backing up the data held in the cloud and storing it locally. This will have technical and cost implications, but reduces the risk of being denied access to your data and makes the transfer to another supplier more straightforward. If you do hold a backup locally, you should check regularly that it is working correctly by creating a test file, deleting it and restoring it from your backup.
You should also check your contract for the frequency the cloud provider will back up your data to a separate site. You should be aware of any period of time where your data will not be backed up and will therefore be “lost” should the cloud system fail.
Ownership and rights in data
It is important that your cloud provider gives assurance that the information will be treated as confidential and not used or disclosed to third parties. You should retain full ownership, in terms of intellectual property, in relation to the data stored on your provider's system. You should have an explicit right to get your data back on demand. Also consider any intellectual property that may be created in the course of the services, which may be particularly relevant where interfaces are created between a cloud provider's systems and your applications. These may be valuable from a business continuity perspective if you were to look for a new provider or bring services back in-house, and so you should look to retain ownership (or broad usage rights) in those interfaces if possible.
Audit and independent certification
You should ascertain your provider's willingness to be subjected to audits by independent security certification authorities. Indeed, some providers advertise certification summaries on their data quality and data security.
A number of industry self-certification schemes exist, but it is not yet clear which represent a true “gold standard”, so they should be treated with appropriate care when selecting cloud providers who use them to credential their services.
Data protection and GDPR
Given the central role that the transfer of data plays in cloud services, the treatment of data protection compliance must be considered. Generally, cloud providers will be keen to emphasise that they will act only as data processors. With the implementation of GDPR, obligations will be placed directly on data processors for the first time. Any person “who has suffered material or non-material damage” as a result of an infringement of the GDPR has the right to claim compensation from either your firm (as the controller) or the service provider (as a data processor) for any damage suffered. Accordingly, cloud service providers may begin to seek their own warranties from you that adequate procedures are in place in respect of your data held in the cloud.
In terms of the cloud agreement itself, the key points are set out in article 28(3) of GDPR and include the following:
- be sure that the supplier's role as a data processor is clear, and that the supplier does not have the right to use any of the data as data controller for its own purposes;
- ensure that the supplier only processes the data in accordance with your documented instructions;
- ensure that anyone who has access to the data is subject to confidentiality obligations (including the data processor's staff);
- the supplier must agree to assist you with regard to data subject rights as set out in chapter III of the GDPR (including the right to be forgotten, the right to data portability and the right to restrict processing), otherwise you could find yourself unable to comply with these requirements;
- the supplier must seek your consent to the use of any subcontractors it engages that will be processing your data; and
- the supplier must have adequate security arrangements in place and a mechanism to notify you of breaches, including in enough time to allow you to notify regulators or data subjects within the legal time limits.
You should also consider the effects of data protection impact assessments. Previously such assessments were regarded as a matter of good practice in the data protection sphere but, under GDPR, will now be mandatory for any high-risk processing. You should ensure that the service provider undertakes to offer assistance to complete your assessments and, where necessary, engages in any consultations required with the ICO.
Under current law, cloud service providers have no obligation to be particularly interested in the data that they are processing. Under GDPR, the provider will have a responsibility to understand and keep an inventory of the processing. In addition, the contract itself must set out in specific detail the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This may lead to more debate about the risks allocation and require greater due diligence at the outset before signature.
John McKinlay is a partner in DLA Piper's Edinburgh office, and head of its UK Intellectual Property & Technology practice
This article is an extract from the Law Society of Scotland's Cloud Computing Guide, to be published in April 2018