- Daniel Gołda
Cloud computing and the law
What do entrepreneurs need to remember?
Legal aspects are no less important than issues of functionality or usability for the enterprise, when choosing IT services. They should be a key elements during selection of a specific solution for the company, however, often they are not analyzed. So how is cloud computing in the light of law, what regulations should be considered when choosing cloud computing and what pitfalls should be avoided. Let’s take a closer look.
Cloud computing and law aspect in the light of GDPR
The very first aspect that concerns cloud solution for companies is the processing of personal data. The Act of 10 May 2018 on the Protection of Personal Data and primarily Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 that is now famous GDPR impose a number of requirements and obligations to the entity that administers and processes personal data. The definition of personal information has been defined so broadly that, in practice, it is hard to find a business entity that is not a data controller. If this data is placed in cloud computing you should be aware that the controller is responsible for processing – even after it has been transferred to a third-party it is still the controller who is responsible for the careful selection of the processor and its actions.
Safe place for data storage
GDPR introduced the principle of territorial freedom of data processing on premises of European Economic Area but a handover to another country, i.e. outside the area is only conditionally possible. One of the condition is a decision stating the appropriate level of protection in the destination country and it should be remembered that such a country is not the USA. What does it mean in practice? To be sure of the processing data in accordance with GDPR the cloud infrastructure provider should guarantee data storage on premise within EEA.
Service Level Agreement
Conscious choice of provider does not exhaust a subject of cloud computing in the light of law. What else should companies pay attention to? Important is the issue of a contract in which should be part of Service Level Agreement, which guarantee the service level. This provision specifies in detail the level of service availability, time of response to the request, helpdesk’s team operation model or the method of communication. The law has no specific requirements for this type of agreement. SLA is a practical confirmation of the quality of the provider’s services, so it is worth to draw attention to detailed parameters and be aware of its meaning for the practical use of the cloud service.
The law vs cloud computing
Cloud computing is becoming increasingly common not only in our daily lives, but also in business. Many of them cannot imagine functioning without cloud solutions, as demonstrated especially pandemic time and the need to work remotely or supply chain problems.
In the context of cloud computing and law regulations, it is important to be mindful that there is no single piece of legislation, guidance or regulation that is applicable to all companies. Nor can of them be considered as most important or superiors to the others. A significant challenge for companies is also the need to comply with industry-specific requirements for cloud computing, such as the FSA’s guidelines in the case of financial industry or medical data processing guidelines in the case of pharmaceutical industry. That is why a reliably cloud service provider is able to ensure compliance with multiple regulations and will be a partner for the company in case of audits or inspections by regulatory institutions is crucial.