1

CLOUD COMPUTING:

The Legal Aspects of Keeping Your Data Safe and Compliant

Brian MillerSenior Associate, IP & IT

Stone King LLP

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

2

CLOUD COMPUTING AND WEBSITE SECURITY

Cloud computing is the name given to the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet).

(Wikipedia)

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

3

(1) Security

If cloud provider not using adequate security, data never safe: Adequate firewalls Adequate encryption

Data Protection Act, Seventh Principle: “Appropriate technical and organisational measures shall

be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data“

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

4

Obligations are on both:- The data processor (the cloud provider) The data controller (your organisation)

No due diligence => you could be liable if breach

Personal data accessible by a third party=

Breach of the Data Protection Act

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

5

2) Who Are You Contracting With?

• May be a number of providers involved• sub-contractors must be bound by same standards of

– Security– Confidentiality

• Main provider needs to carry can for subcontractors

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

6

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

Where is My Data?

If data stored or transferred outside EEA, 8th Principle requires adequate security measures to be in place:

• “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

7

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

Where is My Data?

8th Principle

Means of ensuring adequate protection:

1.model clauses signed up with contractor

2.US: entity on Safe Harbor List

Transfer without consent = breach of the Act

8

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

Where is My Data?• ICO recommends getting

• list of countries where data is likely to be processed• details of the safeguards in place

• ICO requires a written contract with your processor, specifying that the processor:• may only use and disclose the personal data in

accordance with your instructions• must take appropriate security measures to protect

the data• gets your consent to transfer the data outside the EEA

• Ico

9

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

How Secure is My Data

Can A Supplier Read My Data?• No guarantees they won’t unless contract says so• Technically necessary?

Prevention• Encryption• Ensure adequate level

10

LEGAL PROS AND CONS OF PUTTING DATA IN THE CLOUD

Data Breaches

Consequences of breach:• Fine of up to £500K

• Trustees (unincorporated charity) personally liable get an indemnity from charity

• Civil actions from data subjects• Get cyber liability insurance

11

CONCLUSION & SUMMARY

THREE THINGS TO REMEMBER…

If you put your data in the cloud, make sure you carry out IT and legal due diligence on your provider to check that:

• their systems are secure• data is kept confidential• It is not transferred outside of the EEA without

your and your customers’ consent.

12

Brian MillerSenior Associate

IP, IT & CommercialStone King LLP

brianmiller@stoneking.co.uk @theitsolicitor

brianmillersolicitor 0207 324 1523

For further information about cloud computing, please see the following article on Stone King’s website:

•Is Your Website Legally Compliant