The Irish Data Protection Commission has issued guidance on cloud computing. Here are key takeaways for companies and cloud providers:
- You must remain in control of the personal data you collect.
- You must have a written agreement with the cloud provider meeting with the requirements of Article 28 of the General Data Protection Regulation.
- Before engaging a cloud provider you must be satisfied that the cloud provider’s security standards are sufficient and appropriate for the processing of personal data for you.
- Typically you should conduct a detailed technical analysis incorporating an information security audit questionnaire and/or cloud provider being certified by an approved code of conduct or certification.
- The cloud provider must be able to account for its processing operations to the satisfaction of its customers.
- You should inform data subjects that the data is being processed in the cloud.