Nowadays it is a rarity to find any business who doesn’t employ some form of cloud-computing third party. Most businesses use some form of cloud-hosted CRM services, website hosting, or even office applications such as email and external storage. Last year alone the global cloud computing market was valued at £368.97 billion with an estimated CAGR (compound annual growth rate) of 15.7% from 2022-30.
Long story short, cloud-computing is not going away anytime soon.
What most businesses don’t realise however is that extra considerations must be taken when you are using cloud services to host personal data.
Why does it matter?
The issue stems not from where the company is registered, but rather where the servers used to store your personal data are based.
Any transfer of personal data to a territory not covered by the GDPR or by an adequacy decision is deemed to be a ‘restricted transfer’ under the GDPR. This means that the territory to which you are transferring this data does not have the appropriate protections in place to allow free and unrestricted transfers. Consequently, specific protections must be put in place before these restricted transfers can be undertaken. The primary one of these is the implementation of EU Standard Contractual Clauses (SCCs) under the EU GDPR or an International Data Transfer Agreement (IDTA) under the UK GDPR. Please note that the IDTA is a form of SCCs.
SCCs and the IDTA are specific contractual clauses that will inform third parties located in restricted territories about the specific protections they must put in place to protect the personal data they are processing. Without the presence of these, any personal data transfers are being undertaken illegally.
If you are storing personal data on servers located in a restricted territory you may be undertaking one of these illegal transfers without even realising!
What can I do to check?
Most cloud-computing businesses have multiple servers located in various territories, including the UK/EU. When signing onto a hosting service, most providers will offer you the ability to choose which server location your data is stored in. They should also offer you the ability to check where your data is being stored if you don’t know which servers your data is stored on.
The other criteria to identify is what types of data are you storing in the cloud.
If you are not storing personal information (i.e any data that can be used to identify a living individual) in the cloud, then you don’t have to worry about illegal transfers. Information, such as generic business emails (e.g email@example.com) or min switchboard numbers that cannot be used to identify an individual don’t classify.
What do I need to do?
Step 1 – Discover what cloud providers you are using
You may think this is an easy question to answer. Indeed most businesses only use IT approved cloud-based services such as Microsoft, Amazon, Google etc. for their primary business functions.
What about Shadow IT? – the use of information technology systems, devices, software, applications, and services without explicit IT department approval. The adoption of cloud-based applications and services has shown an exponential growth in Shadow IT. The first task and potentially the most difficult is to establish what Shadow IT services is in use within your organization, and whether personal data is being stored, and the location of that stored personal data.
Step 2 - What do I need to do if my personal data is stored?
If you identify that your personal data is being stored in a restricted territory, you must review your contracts with your cloud service provider to check that the appropriate SCCs are in place. Most major service providers will either endeavor to store your data on UK/EU-based servers or will automatically include SCCs in your contracts. However, older contracts or contracts with smaller cloud providers may be missing these legally required clauses.
Tacita recommends that you review all your contracts with third party cloud-service providers to check that these SCCs are in place and that they are appropriate to your territory.
Providing your transfers are being covered by a set of SCCs, you must then inform your data subjects about any and all international data transfers.
This should be done in any contract in which personal data collected will be transferred to a restricted territory through the mechanism of your privacy notice. You are legally required to present a privacy notice whenever any personal data is being collected. Therefore, within this privacy notice you should detail any and all international data transfers that are taking place and the appropriate protection mechanisms you have put in place as well.
Your business is UK-based and using a cloud-based work management system to help your employees. It collects employee personal information, such as name, date of birth, phone numbers to help them set up their profile. Upon checking with the provider, you identified that your employee information is being transferred and stored in a US-based server.
Whilst you can transfer all your data to a UK/EU based server, your business decides that this will cause too much disruption.
Firstly, you must review your contracts with the third-party provider to check that the IDTA is included in the agreement.
The, once/if they have been confirmed as present, you must update your employee privacy notice to inform your data subjects (employees) about these international transfers.
Cloud computing services tend to be at the heart of businesses and these requirements should change that. Instead, by making sure you are processing and transfering personal data compliantly you should build confidence within and trust outside your business, allowing you to continue your day-to-day activities safe in the knowledge you’re covered.
Contact Tacita below for more information on how we can help your business attain and maintain GDPR peace of mind!