GDPR and the cloud
Solicitors’ practices and barristers’ chambers moving their information to the cloud have a choice, the most popular two of which are the public cloud or the private cloud.
In the era of GDPR and in a time when cyber-criminality is growing so quickly that it’s turning into a world wide industry, what are the advantages and disadvantages of both types of platform?
The public cloud is computing and memory capacity available to every person and organisation subscribing to individual services like Office 365, Google Apps, Amazon Web Services, Dropbox, and more. Users receive the service for free or on a pay-per-use(r) basis.
The private cloud is a sectioned-off portion of the public cloud over which you have much greater control – think of it like an internal IT system but based away from your premises. Access is limited to your organisation and the people in it. The private cloud is protected by your firewall and the maintenance of it is controlled by your IT team, the data centre hosting it, or a combination of both.
Advantages and disadvantages of the public cloud
Public cloud services benefit from ongoing investment in both capacity (memory and processing) and security (firewalls). Investment in the provision of public cloud services is still in an “arms race” period as investor and corporate money is flooding into the sector with the main players looking to secure a competitive advantage.
Only your cloud provider and your IT team will know where in the cloud your data is situated making it much harder for potential bad actors to find. Public cloud services are built to withstand both hardware failures and sudden spikes in demand meaning that the speed with which you access information will be relatively unaffected by events outside your control at nearly all times.
However, you have no control over whether the data is encrypted on its travels to and from the public cloud and, if it is encrypted, over the level of encryption it enjoys. Your provider made change the terms and conditions of service at any time beyond your control and it may be difficult, if your public cloud services are outside the European Economic Area, to prove that your public cloud is a safe harbour.
Advantages and disadvantages of the private cloud
On a private cloud, your data and computing infrastructure is separate from the rest of the cloud and that separation gives you the ability to design your remote IT system to your firm’s exact needs and preferences.
Your private cloud is the computer network for your firm – it offers a virtual desktop user experience. A private cloud can also host database engine software like SQL Server in addition to many of the current legal software apps that your firm may already be using on your internal computer network.
Your firm owns the equipment on which your private cloud is hosted and your data is not at risk if your cloud service ceases to trade. You can collect (or instruct someone else) to collect the machinery.
Your IT team is charge of who accesses applications and files on your private cloud and they can make data security more robust by employing industry-standard firewall protection.
Which solution should legal sector firms choose when thinking about GDPR compliance?
The right solution for your firm will be the option, either offered by a public cloud or private cloud provider, which is closest to what you intend to use the cloud for.
At time of writing, there seems to be a sector-wide shift toward private cloud computing because of the ability to both run applications and retrieve files securely. Private clouds offer a much higher degree of controllability than the public cloud so the private cloud can be made to fit around a legal firm’s needs rather than a legal firm adapt its business processes around the public cloud’s limited functionality.
With reference to GDPR, this approach makes sense. Although the firewalls employed on the public cloud seem safe on the surface, ultimately the ability to protect your data is dependent on someone else’s judgment – your firm has no say on it. In addition, it’s much easier to stay compliant with safe harbour requirements using the private cloud and you’re also able to choose the level of encryption you require.