Swedish businesses need to understand that compliance in cloud computing is their own responsibility.
At Storegate, we don’t just work to solve our customers’ needs for smart cloud services for secure file sharing and backup. A large part of our work is devoted to helping companies understand regulatory compliance in the cloud.
There are many times when we realize that our customers have not understood who bears the ultimate responsibility for compliance in the cloud. It is quick to move the company’s files to the cloud and it is, for many, long later to realize their mistake. That it is actually up to them to ensure how the chosen provider treats their information.
Standard contractual clauses not enough
Shortly after the annulment of the Privacy Shield by the European Court of Justice, in the SchremsII vs Facebook judgment of July 16, 2020, foreign cloud service providers were forced to inform their customers that they are changing the terms and conditions for processing personal data. They went from relying on the Privacy Shield framework to relying on standard contractual clauses. The change means that you, the customer, are now responsible for ensuring that the provider and the third country from which your data is stored meet the same level of protection as if it had been stored in Europe by an EU-based company, under European law. Quite a tough, if not impossible match for both large and small companies and organizations.
The responsibility lies with the customer
The benefits of cloud services are many and during the current pandemic we see trends towards increased remote work. We see that both our own and our industry colleagues’ services have improved collaboration between colleagues, increased efficiency, reduced costs and increased user satisfaction. So why isn’t it all gold and green forests? Well, because when IT departments roll out new services, companies’ Data Protection Officers come asking uncomfortable questions. The law on how to handle different types of information in cloud services is difficult to understand. You need to take into account a range of different legislation depending on the sector in which you operate, not least the GDPR. But you should also give serious thought to whether you are prepared to expose your own and your customers’ data to foreign legislation and what this may mean in the longer term.
There are complements
Most companies want to take advantage of the benefits of cloud computing and the opportunities it offers to develop their business. So make sure you think before, rather than after, when it comes to choosing a provider. Be uncomfortable and ask the following questions:
- Will we handle personal data at the supplier?
- Can we check that the supplier is storing our data correctly once the Privacy Shield is invalidated? Check also subcontractors.
- Should we review our own privacy policies and remove references to the Privacy Shield?
- Will this affect our data processing agreements with customers? Ensure that transfers to the US are not based on standard contractual clauses.
- Will we be able to respond to our customers, partners, the Data Protection Authority and others who have questions about how we store data after the Privacy Shield is invalidated?
Make sure you take compliance into account from the start. One way is to talk to us at Storegate. Our secure file sharing services complement Office 365 and Google for Work and allow you to store and share sensitive information too. This way, you don’t have to worry about the potential impact of foreign laws over time, and you can stay on top of your own compliance.
By: Torbjörn Lindkvist, Business Area Manager, Storegate AB, +46 (0) 705 487 463, torbjorn.lindkvist@storegate.com
