Companies which use cloud services to store and process personal data must ensure providers can “guarantee” compliance with EU data protection laws, or risk prosecution, an EU privacy body has warned.
With more and more firms using third-party companies to store their data – normally at a fraction of the cost of buying their own systems – ensuring compliance is becoming a major issue.
The Article 29 Working Party – a highly influential group made up of data protection experts from member states – said that although organisations lack negotiating power over cloud providers, they must ensure the operators they use comply with data protection rules.
The group said firms inherently lack control over personal data they are responsible for when using cloud services, and also may not have access to detailed information about how information is processed in the cloud.
Cloud computing also poses risks to data security, such as “loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures”, said the group.
Under the EU’s Data Protection Directive personal data can only be processed under strict conditions. But because cloud data processing often involves multiple sub-contractors, data controllers should tread carefully, the group added.
The Working Party also outlined what organisations should do to ensure their cloud providers comply with EU rules on international data transfers.
