<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1334192293361106&amp;ev=PageView&amp;noscript=1">

On 1 July, the Article 29 Data Protection Working Party adopted a new Opinion, which identifies common data protection risks associated with cloud computing and provides a ‘checklist’ of recommendations for ensuring compliance with data protection legislation.

The majority of risks identified in the Opinion fall into two broad categories – lack of control and lack of transparency about the processing activities being undertaken.

The Opinion helpfully sets out the types of issues which should be covered in any contract a data controller enters into with a service provider for cloud computing, including:

  • specification of minimum security measures that the service provider needs to comply with;
  • an obligation on the service provider to provide a list of locations where the data may be stored and processed;
  • notification of any requests for disclosure of personal data by a law enforcement authority (unless prohibited);
  • rights to monitor and/or audit the service provider’s data processing activities; and
  • specification of conditions for destroying and/or returning personal data on termination/expiry of the agreement.

The Working Party also highlights the need for public sector organisations to take ‘special precautions’ over and above what would be expected of the private sector in relation to cloud computing. This includes carrying out an assessment of whether the processing and storage of data outside the UK may expose the security and privacy of data subjects to ‘unacceptable risks’. The Working Party notes that this type of assessment will be particularly important in respect of sensitive databases e.g. those that contain information about student disabilities or employees’ membership of trade unions.

As an interesting final point, the Working Party asks national governments and the European Union to consider whether the creation of a ‘supra-national virtual space’ might be appropriate to ensure that a consistent and harmonized set of rules apply to cloud computing in the public sector. I suspect however that this is just a pipeline dream for now.

A full copy of the Opinion is available here.

Guest contribution by
Sophie Burton-Jones, Solicitor

Learn more about SAP SuccessFactors

Like what you read?

Subscribe to the blog to receive updates about:

  • Growing HR trends and technology
  • SAP SuccessFactors, Benefitfocus, WorkForce Software and Dell Boomi
  • Actionable advice to support your existing HR cloud solutions

AltaFlux Corporation

By AltaFlux Corporation

AltaFlux understands what you and your organization need to excel, and can deliver rapid innovation to unleash your full workforce potential. Together, we can empower your business by streamlining, transforming, and optimizing your key HCM and talent processes with industry-leading SAP SuccessFactors technology—enabling you to adapt at the speed of change.