Data protection chief issues cloud computing rules
THE DATA Protection Commissioner has issued new guidelines aimed at companies who wish to use cloud computing services.
The use of cloud services – which are usually delivered by a third party on an on-demand basis – creates data protection issues if companies use cloud computing to manage or hold personal data for which they are responsible.
Although the Data Protection Commissioner’s guidelines make clear that the cloud can be used to store or handle personal data within data protection law, some steps must be followed by companies wishing to do so.
The guidelines are designed to get companies asking questions of providers, around how and where data is stored and who has access to it.
Firms planning to use cloud services to store or access data should check with the service provider on continued access to data for back-up and disaster recovery measures; the prevention of unauthorised access to data, both internal and external; and procedures in the event of a data breach.
Companies should also be clear on the terms of arrangements for their data before entering into contracts, the regulations said.
The guidelines have been published following a similar move at European level by the Article 29 Working Party, of which the Data Protection Commissioner is a member.
Ireland played an active role in developing the document, said deputy data commissioner Gary Davis, to ensure that the outcome was “workable”.
The use of cloud computing has become increasingly popular in recent years, bringing new challenges to companies as they seek to stay on the right side of data protection rules.
The use of cloud services is no different to any other form of outsourcing data, the deputy commissioner said.
However, Mr Davis said some firms have not been doing these simple checks before using cloud services, while others may not realise that they are using cloud computing, and are “sleepwalking” into the technology.
In May, the Department of Enterprise and Jobs unveiled new standards aimed at providing guidance to businesses on moving to cloud computing, providing guidance to organisations both large and small on the various issues that need to be considered.
A PwC study in April revealed that although many companies had a strategy in place for adopting cloud computing, many were reluctant to fully adopt the technology due to security concerns and many were using cloud for non-critical systems only.
However, Mr Davis said although some firms are reluctant to use the cloud, such services may be in some cases more secure, as larger firms dedicated to the technology can afford to invest money in the security needed to protect data effectively.