Storing personal data in a cloud computing environment

When deciding that data will be stored in a cloud it is important to start by checking if the data involves personal data.

In the case of personal data, the person responsible (controller) must assess whether there are appropriate legal grounds for the storage of such data in a cloud. The controller also has other various obligations under the Data Protection Act. These obligations include:

• taking appropriate technical and organisational measures, taking into account the nature, extent, context and purpose of the processing and the risks to the rights and freedoms of data subjects

• ensuring and demonstrating that the processing of the personal data meets the requirements of data protection laws

• making sure there are legal grounds for processing the data according to the Data Protection Act

• preparation of a detailed risk assessment, which aims, among other things, to establish whether the assumptions are in place for the transfer of data to cloud computing and then how cloud computing

• assessing whether the storage of personal data in the cloud constitutes a transfer of personal data out of the country and whether there is an adequate authorization for such transfer.

• determining which types of information are acceptable to be transferred to the cloud and then which kind of cloud.