Big Data in the Cloud
02 March 2015
Are you a Data Controller?
It is essential to establish whether you are a data controller or a data processor for the purposes of the Data Protection Act, as this will dictate the level of obligations imposed on you under Data Protection Law. In fact, if you are a controller, the law requires you to take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” By contrast, the law imposes no such responsibilities on you if you are a processor and leaves it for the controller to police what you are doing on their behalf.
That’s because it’s the data controller who determines the purposes for which and the manner in which personal data are, or are to be, processed. A data processor simply processes the data on behalf of the data controller.
Whilst that sounds simple in theory, the lines are often blurred in reality and as a result, the degree of independence that a party has in determining how and in what manner data is processed, as well as the degree of control over the content of personal data, will indicate whether the party involved is a controller or a processor.
Data Controllers in the Cloud
If you are a controller, then in order to comply with your legal obligations, you’ll have to anticipate data protection issues arising from your use of big data technologies and take prudent practical steps, which may include privacy impact assessments to determine the affect that big data analytics is likely to have on the individuals whose data is being processed and whether processing is fair.
That means you’ll be subject to national data protection law in relation to your use of cloud services and as a result:
· you’ll remain legally responsible for any processing undertaken on your behalf by a cloud provider as data processor;
· even though your technically the customer, you’ll be liable for any breaches of data protection law caused by the acts or omissions of your cloud provide; and
· you could face sanctions and penalties as a result of the failings of your cloud provider.
How can you protect yourself?
Don’t just accept your cloud provider’s standard terms and conditions without reading them.
They’ll most likely exclude liability in so far as they think lawful to do so and leave you carrying the can alone should something go wrong. At the very least, you’ll want to make sure that the provider acknowledges your obligations under the Data Protection Act and undertakes that in providing its services it won’t do anything which could or does put you in breach of your obligations and will indemnify you if it does anything which does put you in breach.
For more information about this update or advice on data protection law, please contact Dawn McKnight.