The ICO makes clear in the guidance that businesses making use of the cloud are still responsible for the data stored in the cloud, even if the cloud service provider processes that data. Businesses should therefore make sure that the cloud service provider is secure and complies with data protection laws, with a written contract covering that. The ICO also suggests that businesses should not simply “accept” standard terms and conditions of cloud services providers without checking that those terms are legally compliant and adequately cover the businesses’ legal responsibilities. Businesses should conduct audits of the cloud service providers as well as sub-processors where relevant.
The ICO would support an industry recognised standard or kitemark to indicate the security that cloud service providers have, so that business customers could have confidence of security from an independent assessment. The regulator’s advice contained further help, with details of how to encrypt personal data in the cloud.