Before embarking on a Cloud computing development, ensure that your organisation’s information (and especially IT) security framework is sound, and that responsibility for information security is clearly allocated.

Ensure that your organisation’s approach to data protection compliance is well thought out, and that responsibility is clearly allocated.

Before selecting a Cloud provider, consider whether your data needs to be retained in the EEA, and if so, make this a key selection criterion.

For all Cloud providers under consideration, check the contract (or standard terms and conditions) very carefully, especially for:

• Ownership of the data;

• Security undertakings and certified security standards;

• Location of data and whether you have any control over this;

• Any mention of liability the provider accepts or excludes;

• Any mention of whether the provider uses subcontractors;

• Arrangements for you to make your own backups, in addition to those made automatically by the provider;

• How you obtain access to your data in the event of wanting to change provider;

• What happens to your data if the provider (or one of its subcontractors) goes out of business, or if you get into a dispute with the provider;

• Any provision for the supplier to use your data for its own purposes; and

• Mechanisms by which you can verify, for example, where the data is held.

Verify any claims made by the providers for compliance with, for example:

• The GDPR and/or NIS Directive;

• ISO 27001; or

• The EU-US Privacy Shield, in the case of a US-based organisation.

It is impossible to eliminate all risks. Assess the risks and prepare a risk assessment so that the appropriate people in your organisation can make an informed decision.

Ensure that any contractors assisting in setting up the Cloud application are given clear instructions about the security measures they should be implementing.

Once the Cloud service is in place, consider commissioning external testing to ensure that it has been configured correctly and is not vulnerable to any well-documented security threats.

Ensure that access to the Cloud application and the data it holds is adequately controlled, especially if it may be accessed by users working at home or on their own devices.

Provide adequate training and guidance for all users so that they know both how to use the system and how to ensure that personal data placed in it is appropriately handled.