New guidance for using cloud technology

The guidelines apply not only to cloud service providers but also to their customers. It’s worth noting they are very precise in defining what you, as a user, should consider when using a cloud service.

💡 This article is reprinted here from Iagon corporate blog.

In March 2022, the Danish data protection authorities, Datatilsynet, released guidelines for data protection and the use of cloud technology. The guidelines apply not only to cloud service providers but also to their customers. It’s worth noting they are very precise in defining what you, as a user, should consider when using a cloud service.

What is considered cloud technology?

The guidelines define the cloud as “a model for providing standardized computer system resources typically on larger decentralized collections of servers, accessed via the internet”. There are various types of cloud services:

A) Infrastructure as a service (IaaS): this is the most basic of all service models. In this model, the user has access to infrastructure, which includes resources such as processing, storage, and network. In this case, the user is required to install and operate some sort of software. It is the user’s responsibility to implement security measures concerning the operating system, data storage, and business application.

B) Platform as a service (PaaS): In this type of service, the user has access to infrastructure, a database, and operating systems. The platform can be used for running applications that were either bought or developed by the user. The user is responsible for the implemented applications and their configuration.

C) Software as a service (SaaS): In this type of service, the customer has access to the suppliers and fully developed cloud-based applications. The cloud service provider takes full responsibility for the operation and maintenance of the solution. By contrast, the user has less responsibility and control over the entire solution.

As a user, what should you consider when using a cloud service?

Usually, when using a cloud service, you as a user assume the role of a data controller, and the service provider is the data processor. When processing personal data, you as user/controller must consider the following aspects:

1) Having a lawful basis for processing the data.

2) Knowing what type of personal data you are processing (this could fall under personal, sensitive, or other special categories of data).

3) Defining the purpose of processing the data.

4) Knowing how the processing is carried out.

Having considered these factors, one should be able to assess if the processing of personal data can be conducted in compliance with the data protection regulation. If the answer is negative, the user/controller should look for alternatives for processing. The user/controller must always document the assessment carried out to ensure compliance with chapters II through V of the GDPR, and be able to demonstrate such compliance to the DPA when requested. You, as a user/controller, bear a high level of responsibility when it comes to the data protection law. Your documentation should therefore reflect that you have assessed the risks related to data processing activities and, more importantly, that you have taken all the necessary measures aimed at mitigating risks.

For more information and to see what else is going on with iagon, please follow us at the social media links, or head over to the IAGON Website!