Cloud Storage: Legal Considerations for Business Owners

Cloud storage can be a key resource for your business. However, if you store personal data in the cloud, UK data protection laws apply, and you must comply with mandatory rules. You are responsible for understanding the legal role of your cloud provider, securing mandatory contracts, and ensuring safeguards are in place to protect the personal data you share with the cloud provider. This article explores key data protection considerations for your business as a data controller when you engage cloud providers as data processors.

Does UK GDPR Apply to Cloud Storage?

If you store personal data in the cloud, UK GDPR applies whenever you share that data with a cloud provider.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Most cloud providers act as processors because they store and manage your data based on your instructions. Typically, your provider will not have any control of the personal data you share with them. 

However, suppose your provider uses personal data for its own purposes (such as analysing usage patterns or improving its services). It may become a data controller in that case, so you must consider different legal rules. 

Obligations

Where your cloud provider acts as your data processor, they will have a range of specific obligations, including:

• your provider must comply with UK GDPR;
• they must process data strictly according to your instructions;
• they should apply strong security measures to protect your data;
• they must report data breaches promptly, enabling you to meet your controller obligations;
• they must maintain records of processing activities;
• they must ensure anyone handling your data is subject to confidentiality
• they must obtain your prior written consent before appointing any sub-processors, and you must have written contracts with those sub-processors;
• they must assist you in managing issues, including data subject requests, data breach notifications, and Data Protection Impact Assessments; 
• they must securely delete or return all personal data to you at the end of your agreement, according to your instructions; and
• they must allow you to audit and inspect their compliance.

How Can You Reduce UK GDPR Risks When Using Cloud Storage?

You must carefully manage the data protection risks associated with using a cloud storage provider:

Key considerations include:

• before selecting a provider, you must assess what personal data you plan to store and how your provider will process it. You must conduct due diligence by reviewing your provider’s security credentials and ensuring you are satisfied with their data protection practices;
• you must put in place a UK GDPR-compliant data processing contract to ensure your provider guarantees data security and complies with UK GDPR rules when data processing. You must also review liability clauses carefully, as overly restrictive clauses can expose you to risk if your provider breaches data protection laws; and
• you must confirm precisely where your provider will store your data. You should store personal data in the UK or another country recognised by the UK as providing adequate protection, or you must ensure appropriate safeguards, such as the International Data Transfer Agreement, are in place if data storage occurs elsewhere.

Why Do You Need a Data Processing Contract With a Cloud Provider?

Under UK GDPR, you must establish a written data processing contract whenever you engage a cloud provider as your data processor.

Your contract must clearly define your provider’s obligations and specify how they will protect your data.

You must ensure your contract covers the purpose of processing, how long the provider will keep your data, their specific security duties, how they will handle breaches, where they store your data, and whether they transfer your data internationally.

Many cloud providers will use standard data processing contracts that limit their liability. You should carefully review these terms, as restrictive clauses can expose you to significant risks if your provider fails to protect personal data and you suffer loss as a result. A data protection solicitor can help you review your cloud provider’s terms, identify potential risks, and negotiate on your behalf.

Cloud storage contracts can be complex, and if your provider fails to meet UK GDPR rules, you, as the data controller, could face serious consequences. Therefore, if you are unsure about your obligations, you should seek advice from a data protection solicitor before entering into agreements with cloud providers.

Key Takeaways

If you store personal data in the cloud, you must ensure your provider meets UK GDPR requirements. Most cloud providers act as processors, but some can also act as controllers, so you should seek legal advice if you are not clear on your provider’s role. Legal advice will help you safeguard your data, comply with UK GDPR, and reduce potential liabilities.

If you need advice on compliance with UK GDPR, LegalVision’s experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions