Cloud computing: Best practices for data management
1. Data classification and protection: PII data must be categorized in a cloud environment as this helps define model clauses or sub-clauses. For example, banking or health-related data requires detailed due diligence, as these are classified under the “special category of personal information or data” under GDPR and other privacy acts.
Personal data management must be clearly defined in any agreement, including cases where a CSP may retain or destroy all customer data hosted on the expiration or termination of the said agreement.
2. Identification of data handlers and processors: Whether the privacy agreement needs to be signed between a CSP and the customer, or a separate agreement is required between the CSP and a hyperscaler, is a critical consideration especially when CSP uses a hyperscaler to provide cloud services. In a cloud environment, each key stakeholder is also closely associated, and a legal binding agreement with all identified stakeholders may be necessary to ensure effective privacy management.
3. Defining ownership roles of data controller, processor, or sub-processors: Agreements must specify roles and responsibilities amongst the contracting parties considering the scope of engagement.
4. Impact assessment: Agreements must define the onus on each party to conduct data privacy impact assessments for transfers individually or jointly as required. These are critical to identify and mitigate privacy related risks. Further, such assessments must be recoded in writing and available whenever required for audit or other purposes.
5. Clarity on cloud location and data transfer: Due diligence must ensure a customer’s choice of data storage location, as clearly mentioned in the agreement. This is required when hyperscalers are deployed, since large CSPs have infrastructure spanning across various jurisdictions.
6. Third-party data access: Third-party data sharing spans across the roles of CSPs or hyperscalers in contracts. In case of mandatory sharing of data with external parties such as law enforcement agencies, CSPs or hyperscalers must ensure that a cloud agreement clarifies that data minimization is applied before sharing, and if law permits, inform the data handlers involved. A legal binding agreement with all identified stakeholders is necessary to ensure effective privacy management.
7. Standard contractual clauses (SCCs) and adequacy clauses: SCCs provide legal mechanism in the form of contractual clauses that can be used by both the sender and receiver of personal data as a ground for data transfers from the EU to other countries, by providing appropriate data protection safeguards.
When customers or end-users of a non-EU CSP are subject to EU laws but data storage within the EEA is not possible, attorneys must get CSPs or hyperscalers to incorporate duly approved SCCs in the contract before data transfers. The agreement(s) must clarify if the data export location is covered under an adequacy clause or agree to a data transfer risk assessment for applicable locations.
8. Breach notification: The procedures to be followed in case of data breach incidents need to be clearly defined and understood by all parties involved in an agreement.
9. Holistic stakeholder view: The parties to a contract must discuss other possible critical stakeholders in the privacy ecosystem and must mention those stakeholders in the agreement.
10. Cloud model selection: A key clause that must be considered is the selection of an appropriate cloud model. For example, public cloud deployment may not be appropriate when sensitive data is to be hosted. Other key considerations include data processing terms, third-party components integrated and their licensing terms, provision for data protection officer, among others.