Perform a risk assessment and threat analysis
- Identify all the enterprise’s systems containing personal data. Then grade the data from sensitive to non-sensitive.
- Evaluate what could go wrong.
- Assess the consequences if anything were to go wrong, e.g. that personal data falls into the wrong hands.
- Create a list of security measures that have been implemented to deal with any incidents.
- Assess the security measures in the agreement with the cloud computing service provider. Does the service meet the requirements identified in the risk assessment?
Make sure you have a data processor agreement with the provider of any cloud computing services
You have a duty to enter into a data processor agreement with the provider of any cloud computing services. You must ensure that this complies with Norwegian law and regulations. It is the responsibility of the enterprise to ensure the statutory requirements are at all times complied with. Important issues that must be covered in the agreement include: backup copying, deletion, access management and data segmentation.
- How does backup copying/mirroring work?
- When are data held by the service provider deleted?
- Is access management in accordance with statutory requirements and the service provider’s own internal control systems?
- How does the service provider ensure that personal data from one data controller is not mixed with those of another?
- Find out whether the service provider can use the enterprise’s data for its own purposes.
- Ensure that the service provider’s privacy terms (or other terms) do not exceed the provisions of the data processor agreement.
- Make sure you regulate the service provider’s use of subcontractors, and that the enterprise has an overview of and control over such subcontractors.
Audit the data processor
- The use of cloud computing services must be audited on a regular basis. In other words, you yourself or an independent third party must perform a security audit to ensure that the data processor agreement is being complied with.
- If the agreement states that a third party is to perform the audits – ask to see the final audit report. This report must also be made available to the Norwegian Data Protection Authority if we ask to see it during one of our inspections.
Make sure that any transfer of data is lawful
- Transfer to a third country: In principle, personal data may not be transferred to countries outside the EEA. However, the Norwegian Data Protection Authority may authorise such transfers in advance. In addition, certain countries have been approved by the EU as safe receiving states.
Portability of data
- Can the data be transferred to a new service provider if this is deemed desirable?
Ensure secure communication and encryption
- Are data encrypted before they are stored in the cloud?
- Is communication between the data controller and the data processor encrypted?
- Is communication between the data processor and any subcontractors/data centres encrypted?
- Who holds the encryption keys?
Put the necessary documentation in place
- Is the solution adequately documented, so that public authorities can perform an audit?