When processing personal data in the cloud, who's responsible for data integrity and security? Who's liable for any data loss or security breach?
Cloud customers
A business holding personal data about other people, eg its customers, is "controller" of that data under the EU Data Protection Directive (DPD).
If it chooses to store or work on that personal data in the cloud, it remains controller. It can't offload its data protection law responsibilities just by putting the data into the cloud.
That much is clear.
(Note. I'll assume that all cloud customers discussed below are "controllers" under the DPD, and aren't exempt eg because they're holding personal data for purely personal, not business, purposes. Also, only controllers with certain EEA connections are within the DPD's scope. I'll cover the required connections in a future article, but when controllers are mentioned below, I assume that they have that connection.)
Cloud services providers
What about providers of cloud services?
Now, a cloud provider is "controller" of its human customers' personal data, whether obtained in the sign-up process or from their use of its service. (I say "human" because most EU states give data protection law rights only to humans, not non-individuals like companies.)
The more interesting and difficult question is, what's the provider's position if its customer uses its service to process other people's personal data, eg of the customer's own customers?
The now well-known key categories of these services are IaaS, PaaS and SaaS. But it's important to note that cloud services can be "stacked" or layered.
The now well-known key categories of these services are IaaS, PaaS and SaaS. But it's important to note that cloud services can be "stacked" or layered.
An internet startup offering SaaS applications or services online, eg contacts management or photo sharing, could develop and deliver its services using a third party's IaaS or PaaS behind the scenes, instead of its own servers. Many have.
One questions there is, to what extent is the SaaS provider responsible for personal data processed via its service by its own customers? But a further question is, to what extent is the IaaS or PaaS provider responsible for personal data processed via its services by the SaaS provider, or indeed by the SaaS provider's customers?
To Continue Reading: Click Here
----------------------------------------------
Source: blogs.computerworld.co.uk
By: Kuan Hon
One questions there is, to what extent is the SaaS provider responsible for personal data processed via its service by its own customers? But a further question is, to what extent is the IaaS or PaaS provider responsible for personal data processed via its services by the SaaS provider, or indeed by the SaaS provider's customers?
To Continue Reading: Click Here
----------------------------------------------
Source: blogs.computerworld.co.uk
By: Kuan Hon
0 comments:
Post a Comment