In March 2022, the Danish data protection authorities, Datatilsynet, released guidelines for data protection and the use of cloud technology. The guidelines apply not only to cloud service providers but also to their customers. It's worth noting they are very precise in defining what you, as a user, should consider when using a cloud service.
What is considered cloud technology?
The guidelines define the cloud as “a model for providing standardized computer system resources typically on larger decentralized collections of servers, accessed via the internet”. There are various types of cloud services:
A) Infrastructure as a service (IaaS): this is the most basic of all service models. In this model, the user has access to infrastructure, which includes resources such as processing, storage, and network. In this case, the user is required to install and operate some sort of software. It is the user's responsibility to implement security measures concerning the operating system, data storage, and business application.
B) Platform as a service (PaaS): In this type of service, the user has access to infrastructure, a database, and operating systems. The platform can be used for running applications that were either bought or developed by the user. The user is responsible for the implemented applications and their configuration.
C) Software as a service (SaaS): In this type of service, the customer has access to the suppliers and fully developed cloud-based applications. The cloud service provider takes full responsibility for the operation and maintenance of the solution. By contrast, the user has less responsibility and control over the entire solution.
As a user, what should you consider when using a cloud service?
Usually, when using a cloud service, you as a user assume the role of a data controller, and the service provider is the data processor. When processing personal data, you as user/controller must consider the following aspects:
1) Having a lawful basis for processing the data.
2) Knowing what type of personal data you are processing (this could fall under personal, sensitive, or other special categories of data).
3) Defining the purpose of processing the data.
4) Knowing how the processing is carried out.
Having considered these factors, one should be able to assess if the processing of personal data can be conducted in compliance with the data protection regulation. If the answer is negative, the user/controller should look for alternatives for processing. The user/controller must always document the assessment carried out to ensure compliance with chapters II through V of the GDPR, and be able to demonstrate such compliance to the DPA when requested. You, as a user/controller, bear a high level of responsibility when it comes to the data protection law. Your documentation should therefore reflect that you have assessed the risks related to data processing activities and, more importantly, that you have taken all the necessary measures aimed at mitigating risks.
How do you assess the risk?
When it comes to risk assessment, the user/controller should always look for any kind of risk that jeopardizes the rights and freedoms of the data subjects in the course of processing their data. Technical and organizational measures ought to be implemented to mitigate the risk and reduce it to an acceptable level, as well as to ensure that the processing activities are always lawful. You should then prepare a complete description of the processing activity that includes the data flows and the legal basis for the processing. Additionally, you as the user/controller must carry out a risk assessment, always considering the intended processing and with the obligation coming from the requirement of data protection by design and default. Bear in mind this general assessment should never be confused with the risk assessment related to the security of processing, which is supposed to examine the potential vulnerabilities of the process to attacks and hacking.
You as a user should also verify your cloud service provider and ensure that the level of data processing security is appropriate for the type of data you intend to process. If, for example, your organization processes data concerning health, then the cloud service provider should always have appropriate tools to secure such type of processing. Additionally, you as a user should always pay attention to what organizational measures you put into place, such as who has access to the data. The allocation of responsibility within your organization is yet another key factor. Moreover, there should be a clear division of tasks between your cloud provider and your organization.
Know your supplier
As mentioned earlier, the cloud service supplier acts as a processor of data. Therefore, it is your duty as a user/controller to fully know how they process data on your behalf or what kind of security they provide with regard to data processing. Supplier's confidentiality policy, the subprocessor, the data flows, and many other relevant aspects need to be taken into consideration as well.
Knowing all this about the cloud supplier is crucial for any user who processes data for commercial or non-commercial purposes. At Iagon, we are always doing our best to provide the most secure and transparent cloud service. With Iagon, you can keep track of the data processing, choose a specific location for it to be carried out, and define from where the data can be accessed. Additionally, you are informed about all of the parties involved in the processing, the relevant transfer tool, and all the technical and organizational measures we implement to make your data secure. Our solution's flexibility allows you to customize your account and tailor our product to specific legal requirements that apply to your company. Regardless of the solution you choose, our encrypting technology will keep your data safe with the highest level of data security, ensuring compliance with all regulations concerning personal data and sensitive data. Iagon's mission is to set the best privacy practices for our users. You can centralize the compliance of all your legal requirements with our decentralized solution.