Legal considerations for off-site storage
IN traditional outsourcing, when an activity is transferred by an outsourcer to a service provider, the outsourcer may retain regulatory compliance responsibility. Cloud computing is a new form of outsourcing and many traditional outsourcing concerns and issues apply equally. Compliance responsibility remains unaffected: you can outsource the fulfillment of the regulatory requirement, but you cannot outsource your regulatory status. As such, the regulation of cloud computing is a paradox: cloud computing is regulated, but there is no entity to be regulated – rather, normal rules apply to a new business model for ICT delivery and consumption.
Cloud for financial companies is no more complicated than for any other organisation. Normal considerations apply: what solution is appropriate; what data goes into the cloud; which processes? The wrinkles start to appear when a financial organisation is thinking about placing key client data offshore and/or putting key processes into the cloud.
It would be wrong to say that the cloud is specifically regulated. But it would also be wrong to say that it is not regulated at all. In fact, there is a whole host of law and regulation that underpins online and cloud activities. Some of the most relevant regulatory regimes are noteworthy because they typify the concerns of organisations seeking to embrace utility computing.
There are three key considerations for financial companies looking to outsource to the cloud.
The first is reliant upon the identification of critical or important functions performed by an outsourcing company on behalf of a financial company. It is imperative that any regulatory demands on a business are met by outsourcers and that there are contractual provisions for this. Terms like this are normal for a full-blown outsourcing arrangement, but onerous if compared to a normal cloud vendor’s terms.
The second key consideration is whether a financial organisation will be putting data into the cloud and the security issues there are with this – what some might say is the Achilles heel of cloud computing. This is a particularly important consideration when dealing with personal and sensitive data. There are obligations under the Data Protection Act that need to be met. First assess the nature of the data and its sensitivity and second, consider the public perception of this being stored in the cloud.
Lastly, there is the issue of exactly where the data might be going. A benefit of cloud computing is that data is held elsewhere – typically in a cheaper jurisdiction. This may raise no issues at all for raw, non-personal data. But the EU Data Protection Directive requires that personal data is not transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for that data.
To successfully pick your way through the relevant regulation it is first critical to understand the business need, the available technology, the relevant data and the terms and conditions upon which the cloud offering can be secured. Blending together those considerations will allow customers and cloud vendors to achieve a community of interest, in a regulatory compliant way.
Mark O’Conor is partner and London location head for IPT at DLA Piper.