The Irish Data Protection Commission has issued guidance on cloud computing. Here are key takeaways for companies and cloud providers:

  • You must remain in control of the personal data you collect.
  • You must have a written agreement with the cloud provider meeting with the requirements of Article 28 of the General Data Protection Regulation.
  • Before engaging a cloud provider you must be satisfied that the cloud provider’s security standards are sufficient and appropriate for the processing of personal data for you.
  • Typically you should conduct a detailed technical analysis incorporating an information security audit questionnaire and/or cloud provider being certified by an approved code of conduct or certification.
  • The cloud provider must be able to account for its processing operations to the satisfaction of its customers.
  •  You should inform data subjects that the data is being processed in the cloud.

Details from the Irish Data Protection Commission.