Out-Law / Your Daily Need-To-Know

Recommendations on processing data in the cloud

12 Dec 2018, 2:01 pm

ANALYSIS: A recent report published by Ireland's data protection watchdog provides a helpful reminder to businesses to take additional steps to secure personal information when processing it in the cloud.

While cloud solutions offer businesses major advantages in relation to the cost, efficiency and scaling of data processing operations, the new report (68-page / 847KB PDF) highlighted the risk of data breaches if companies fail to manage security risks involved in cloud outsourcing correctly.

The watchdog did, though, provide guidance on how businesses can avoid the common pitfalls associated with technology-related data breaches and take advantage of cloud solutions securely.

The report and its findings on data breaches

The report was the final annual report issued by the Office of the Data Protection Commissioner (ODPC), which was superseded by the Data Protection Commission when the General Data Protection Regulation (GDPR), and associated new Data Protection Act in Ireland, took effect on 25 May this year.

The report set out the main trends and findings of the ODPC between 1 January and 24 May 2018.

During the period, there were 1,198 valid data breach notifications recorded by the ODPC. Of those, 16 technology-related data breaches were investigated by the watchdog.

According to the report, the majority of the technology-related breaches resulted from a data controller’s use of cloud-based environments hosted by third party cloud service providers.

Common denominators

According to the report, the technology-related data breaches all had the following common denominators:

overreliance on data processors for the implementation of appropriate security measures;
insufficient awareness of security protocols which may be implemented as part of the use of cloud-based environments;
failure to appropriately scope and implement security measures relating to the organisation’s specific security requirements;
poor governance and control structures; and
an absence of follow-up procedures to ensure security measures are appropriate and up-to-date.

The ODPC emphasised that data controllers employing cloud-based environments as part of their processing of personal data must exercise greater control over the security and monitoring of those environments.

Recommendations

The findings in the report in relation to data breaches involving cloud-based environments are a timely warning in the context of the increasing use of, and reliance on, cloud-based solutions.

The ODPC made recommendations that data controllers can follow to address the security risks identified when using third-party cloud services. It said those organisations should:

themselves determine the security measures which are appropriate for application in respect of their processing of personal data
not rely on the cloud provider's default security settings;
ensure that steps are taken so that only authorised users can access cloud-based environments, with appropriate controls in place to mitigate the risk of an attack; and
undertake regular reviews of user permissions and disable accounts that are no longer required.

The ODPC's findings reflect a broader regulatory focus on the use of cloud services, especially in the context of regulated financial services businesses.

There was further evidence of this focus in a recent report of the Central Bank of Ireland on outsourcing by regulated firms. That report, which is open to consultation until 18 January, raised similar issues around cloud security, governance and risk management.

Dermot McGirr is a Dublin-based data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.