As covered in previous posts, there is a lot to consider when storing records in the cloud. First, there is the question of what happens to the legal status of records when they are moved into the cloud. Unfortunately the law is not always clear on the subject of cloud records storage, which introduces risks that need to be understood and managed. Then there is the logistical question of how to maintain your requirements for records retention in the cloud environment.
What about privacy and security?
This is another tricky aspect of cloud records storage. The decentralized, distributed nature of cloud storage makes it harder to know exactly where sensitive customer and company information is located at any given time, let alone to control access to it. This is not an issue exclusive to records stored in the cloud. As a widespread concern, cloud privacy is receiving a lot of attention from lawmakers around the world as they introduce legislation – and stiff penalties – to minimize consumer risk and force providers to address the issues. For example, the EU’s General Data Protection Regulation prescribes fines of up to 1 million Euros for “breaches that relate to international data transfers, an error that could occur more easily when using cloud computing.”
Unfortunately, avoiding these risks isn’t straightforward. The cloud poses security and privacy challenges that records managers simply haven’t had to face before. This seems to leave us with more questions than answers. For example:
- How are our obligations or legal protections altered when cloud records are stored outside our company’s operating jurisdiction?
- How will we control the way in which personal information is handled and protected?
- How will we guard against unauthorized access and use?
Tackling the issues
As you weigh the possibility of storing records in the cloud, there are some steps you can take to get answers, and to minimize privacy and security risks. This is usually done under the umbrella of a Privacy Impact Assessment, which involves:
- Establishing clearly the specific statutes, regulations and industry standards that govern privacy and personal information in the jurisdictions in which you operate.
- Declaration of authorized business purposes for which information may be collected, used, disclosed and/or retained.
- Determination of requirements to seek individual consent for any collection, use or disclosure of personal information, including possible information access by your cloud records storage provider.
- Description of contractual provisions and related enforcement controls related to information ownership, control, retention and protection.
- Summary of records retention rules and any technology specifications, workflow processes or other tools for implementing those rules.
- Assessment of information security and integrity risks, as well as any technical, physical or administrative safeguards to help prevent or mitigate those risks.
If it seems like a lot of work, it is. This is simply a reflection of the complex issues raised by the cloud. The good news is that a systematic planning process can clear the path to achieving the benefits of cloud – without having to worry about when the phone will ring about a privacy breach.
- To learn more about the challenges – and solutions – for cloud records storage download our free white paper.
- Read more about the legal and retention issues posed by the cloud.
- If you need help planning a move to cloud records storage, get in touch and let one of our professionals guide you.