Swedish companies need to understand that compliance in cloud services is their own responsibility.
At Storegate, we don't just work to solve our customers' needs for smart cloud services for secure file sharing and backup. A large part of our work is spent on helping companies understand compliance in the cloud.
There are many times when we realise that our customers have not understood who bears ultimate responsibility for compliance in the cloud. Moving company files to the cloud is quick and, for many, it's much later that they realise their mistake. That it's actually up to them to ensure how their chosen provider treats their information.
Standard contractual clauses not enough
Shortly after the European Court of Justice's invalidation of the Privacy Shield, in the SchremsII vs Facebook ruling that fell on 16 July 2020, foreign cloud service providers were forced to inform their customers that they are changing the terms of processing of personal data. It went from relying on the Privacy Shield framework to relying on standard contractual clauses. The change means that it is now you, the customer, who will be responsible for ensuring that the provider and the third country from where your data is stored, meet the same level of protection as if it had been stored in Europe by a company based in the EU, under European law. Quite a tough, if not impossible, match for companies and organisations large and small.
Responsibility lies with the customer
The benefits of cloud computing are many and during the current pandemic we are seeing trends towards more remote working. We see that both our own services and those of our industry peers have improved collaboration between colleagues, increased efficiency, lowered costs and increased user satisfaction. So why isn't it all gold and green forests? Well, because when IT departments roll out new services, corporate Data Protection Officers come along and ask uncomfortable questions. The legalities around how to handle different types of information in cloud services are difficult to get to grips with. You need to take into account a range of different legislation depending on which sector you operate in, not least GDPR. But you should also seriously consider whether you are prepared to expose your own and your customers' data to foreign legislation and what that might mean in the longer term.
There are complementary
Taking advantage of the benefits of cloud computing and the opportunities it provides to grow your business is something most businesses want to do. So be sure to think before, rather than after, when it comes to choosing a provider. Be uncomfortable and ask the following questions:
- Will we process personal data at the provider?
- Can we verify that the provider is storing our data correctly once the Privacy Shield is invalidated? Please also check subcontractors.
- Should we review our own privacy policies and remove references to the Privacy Shield?
- Will this affect our data processing agreements with customers? Ensure that transfers to the US are not made based on standard contractual clauses.
- Will we be able to respond to our customers, partners, the Data Protection Authority and others who have questions about how we store data after the invalidation of the Privacy Shield?
Make sure to consider compliance from the start. One way is to talk to us at Storegate. Our secure file sharing services complement Office 365 and Google for Work, allowing you to store and share sensitive information too. That way, you don't have to worry about the potential impact of foreign laws over time, and you can stay on top of your own compliance.
By: Torbjörn Lindkvist, Business Area Manager, Storegate AB, +46 (0) 705 487 463, torbjorn.lindkvist@storegate.com