Cloud computing: the answer to your data storage prayers, or the biggest data protection challenge your company has faced?
Increasing numbers of businesses are choosing to move to cloud computing solutions to store data and deliver services to their customers. In 2015, cloud computing investment was the second largest spend for commercial IT departments.
Moving to the cloud can free companies from reliance on hard storage devices and paper files – but many firms are failing to take into account the serious data protection implications of using cloud storage.
The reality is that a move to cloud storage increases the need for data protection rather than reducing it. Whereas paper records or files on mobile phones, laptops or other electronic devices can be safely destroyed using data shredding, mobile shredding and mobile document shredding, data stored on cloud storage cannot be deleted like this, and companies risk losing control of how commercial data is stored, moved and accessed.
The consequences could be serious. Companies using cloud storage risk unintentionally violating the UK Data Protection Act if they don’t take suitable care over choosing a provider and controlling their data. Fines for data breaches are set to increase to as much as €100m, or 5% of global revenue in the EU – far higher than the current UK fine limit – with liability resting with the company controlling the data.
Risk: Choosing a Provider
If you use a cloud service to store your customers’ data, you are classed as a data controller, and therefore liable under the Data Protection Act in the UK for the security of that data. Under new EU data protection regulation, due to come into force in 2017, any organisation that is involved in storing or processing personal data is liable in the even of a data breach. This includes cloud storage providers, and companies using those providers.
So if you move to a cloud solution, you are responsible for assessing the security measures taken by your provider. If you don’t carry out such checks thoroughly, you may be liable in the event of a data breach – which could carry a financial penalty and loss of reputation.
There’s also a risk of supplier lock-in, as moving data between suppliers, or taking data off cloud storage, can be costly and risky; for example, how do you ensure all old data had been deleted? And what happens to your data in the event that your provider goes bankrupt?
Risk: Where data is stored
It’s often difficult or impossible for an end user of cloud storage to tell where exactly in the world data is being stored at any one time. Cloud storage providers may in turn farm out to other providers, moving data between locations without the knowledge of the end user. This may not be an issue for a private customer, but for businesses who have to comply with data protection laws, this is crucial.
For example, there are currently restrictions on data being moved outside the European Economic Area. In 2000, the European Commission entered into a data protection agreement with the US, called ‘safe harbour’, that allowed personal data to be transferred from the EU to the US, and outsourcing to US cloud storage companies became widespread. But in 2015 the agreement was declared invalid by the EU’s highest court, due to concerns over the quality of data protection in the US.
It is now the responsibility of the company storing customer data to confirm that those services meet privacy protection requirements, a potentially expensive and time-consuming process.
Risk: The Choice to Encrypt
One solution to cloud storage privacy risks is to encrypt data before it us stored. Encrypted data is not classed as personal data, and so does not carry the same data protection risks. But this relies on a company having the IT resources to securely encrypt data before upload.
Risk: Individuals Using Cloud Storage
The wide availability of cloud storage makes it more difficult for companies to control how sensitive data is handled, stored and accessed. It is easy for individual staff or departments to use cloud storage without authorisation or guidance from a central IT department or company policy.
It is possible, even probable, that even if you company isn’t officially using central cloud storage, individuals or departments are already storing sensitive data on the cloud.
Individuals may be backing up communications or documents to cloud storage, and departments may be opting to use cloud applications with a specific business use, such as cloud accountancy software. These departments may be acting outside the company’s IT policy.
But UK and EU regulations mean that the company as a whole is still responsible for the security of such data.
Risk: Legal Implications
New EU regulation will allow individuals to claim damages from companies implicated in data protection breaches, potentially costing firms of all sizes money, but also damaging their reputations in the long term.
The new EU regulation will give customers the right to demand at any time that their data is deleted by organisations holding it. This becomes more complex when data is spread over one or more cloud storage solutions.
Businesses considering a move to cloud storage therefore need to take into account the legal implications of the move and take the necessary steps to protect themselves in the event of a data breach.
It’s not always a good idea to jump on board with a trend such as that of switching to cloud storage, and the risks outlined above mean that it is a decision that must not be taken lightly by businesses of any size.
Cloud storage, for example, means the security that comes with having confidential data destroyed by a shredding company such as Datashredders is a thing of the past. If your business is continuing to use physical storage for sensitive information, then contact us for secure onsite shredding services. Call the number at the top of this page, use the enquiry form on our contact us page or email firstname.lastname@example.org to ensure that your data is never at risk of cyber-theft.