Security measures for the storage of personal data in a cloud computing environment
Risk assessment before deciding to process data in a cloud
A thorough risk assessment is necessary before processing.
The purpose of risk assessment is to determine whether the assumptions are correct for the transmission of data in cloud computing, and how cloud computing is done, but this should be done by analysing risk factors and taking into account the level of confidentiality and the relevant laws and regulations.
It is therefore a key issue that the person responsible for the processing of personal data, the so-called controller, knows where, how and by whom the personal data that he is responsible for is processed.
The results of the risk assessment should be borne out against the estimated benefits of implementing a cloud solution, but it is not a default that outsourcing of sensitive personal data is allowed.
Various companies and contractors are involved in helping to perform the risk assessment.
The Ministry of Finance and Economic Affairs, in cooperation with the Data Protection Authority and the Management Association of the Icelandic Government Offices, has issued guidelines for government agencies on the use of cloud computing solutions that can be taken into account in assessing whether such services should be implemented, but the guidelines can of course be used by non-governmental organizations. The guidelines include a checklist for the planned implementation of cloud computing services. They also include discussions on risk assessment in relation to the storage of data in cloud computing solutions, the goal of which is to reveal whether the assumptions are for the transfer of data in a cloud, and then what kind of cloud computing.
