Data privacy regulations are becoming more complex in today's changing IT landscape, and the consequences are huge. It's increasingly important for businesses to keep up to date on legal and regulatory issues of using public cloud while complying with the EU data protection framework.

In terms of the current issues, it goes without saying that data and information is at the heart of any business – whether you are dealing with commercial contracts, M&A, big data, the internet of things, outsourcing and of course public and private cloud. It's inevitable that almost all of these things will involve some movement or processing of personal data.

Concerns about the cloud

The global nature of the cloud and the security of data are important, particularly in a world where there is government intervention in personal data, nation state hacking, politically motivated hacking and just straightforward operator error. All these are things raise the stakes.

When we look at the cloud, what are the current concerns that come to mind? Who is responsible for protecting personal data in the cloud? Is it the cloud host or is it the owner of the data? To what extent is it the individual's responsibility to have control over their own personal information?

Since the cloud is by definition everywhere, one of the challenges is identifying the applicable law and jurisdiction if you uncover a data breach or misuse of your personal data in the cloud. In addition, there are contractual issues. All too often there is no contract negotiation when using public cloud; it is a click-through process and a 'take it or leave it' attitude over the issues of warranties, indemnities and liabilities.

Another issue is the legal basis for processing data in the cloud – do you have the consent of individuals to process their data in the cloud? If you don't have permission, certainly under the EU laws, then putting personal data in the public cloud might infringe on the rights of individuals and make the data controller liable for what happens to the data.

It's also important to know how data is stored. Where is the server stored, how long is the data being stored? Also consider obligations on the data controller to erase data, whether the data controller needs to do it or somebody exercises their 'right to be forgotten' that we have heard so much about? Finally, you need to audit, monitor and manage risk when the data that you are responsible for is being managed by someone else. And then of course there are data breaches…

Data protection principles

Within the EU we have an organisation called the Article 29 Data Protection Working Party, a committee made up of all of the regulators within the EU. They published an opinion in July 2012 on the challenges of cloud computing and data protection. The opinion highlights two main risks – the lack of control over the data and the lack of information on data processing.

The opinion offers guidance on the duties and responsibilities of data controllers and cloud providers as well as advice on how to manage and analyse risks in the cloud. The principles outline that data shall not be kept for longer than necessary, data subjects have rights to know what we are processing about them and the right to be forgotten. Most importantly, organisations must implement appropriate technical and organisational security measures, including training, to protect personal data. Current rules also insist that personal data shall not be transferred outside of the European Economic Area, unless the recipient country provides an adequate level of protection.

New regulations coming down the track up the ante for data controllers to better manage personal data in the cloud. The EU General Data Protection Regulation (GDPR), which is currently being finalised, will replace the current Data Protection Directive and will be immediately applicable in every member state without local law needing to be enacted. We expect approval of GDPR by the end of 2015 and final enforcement by 2017.

In the new framework, most businesses will need to appoint a data protection officer who will need to be appropriately qualified and trained and has the task of monitoring compliance, conducting audits and reporting data breaches. There's a catch for those businesses that have to appoint a data protection officer – they are protected employees and can't be dismissed for convenience. In addition to reporting data breaches they will be your internal whistleblower, reporting the business to the regulator when there is non-compliance.

The GDPR also expects the regulator to be notified, without undue delay, but effectively within 72 hours of a data breach. This puts huge pressure on data controllers to have appropriate systems in place to react to an issue, regardless of whether the data controller that was the cause of the breach or whether the breach occurred in the cloud and is the problem of both the data controller and the cloud vendor. Individuals will also need to be notified if there is likely to be significant damage as a result of the breach, similar to current US regulations.

Under the GDPR there is the potential of fines on the data controller of up to 5% of annual worldwide turnover for seriously negligent breaches. Without notice, dawn raids may be carried out to determine the level of the fine relative to the security in place to protect data.

In addition to the guidance offered by the EU on data security, the Information Commissioner's Office recommends anonymising data. One way of avoiding concerns around compliance of data privacy laws is to make sure that personal data is not personal data. Technology from vendors like CloudMask can mask data on premise and in the cloud, making it meaningless to hackers, governments, employees and cloud administrators. Anonymisation is the process of turning data into a form which does not identify individuals and where re-identification is unlikely to take place. If this technique works, it could significantly minimise risk.

It's a complex environment where regulations are being revised as a result of the latest technologies including social media and cloud computing. The pressure is on those of us who use personal data to protect not only individuals but also ourselves by considering what technology is out there to minimise the risks of managing personal data in the cloud or indeed anywhere.

Robert Bond is head of data protection & information security law at Charles Russell Speechlys. Click here for a webinar on the key changes in the GDPR in more detail, and the solutions available.