Best Of In full development, Cloud computing is a technique aimed at accessing data and services on a remote server. This technique allows companies to reduce the costs of managing their data by calling on an external service provider. However, this involves risks, particularly in terms of data confidentiality, which is why the CNIL has drawn up recommendations for French companies wishing to use cloud computing.
Definition of cloud computing
In its recommendations, the CNIL notes that from a legal point of view, cloud computing has many disadvantages. Indeed, data being hosted outside the company, their security is reduced by the risk of their leakage or their disclosure in particular. In addition, the CNIL questions the legal aspect of this technique and observes an attack on the respect of personal data. This is why she recommends that companies be very attentive: “It is essential that a French company that plans to use a cloud computing company service performs a risk analysis and is very rigorous in the choice of its service provider. In particular, the company will have to take into consideration the guarantees offered by a service provider in terms of protection of personal data and ensure that the latter will provide it with all the guarantees necessary to comply with its obligations under the Data Protection Act, especially in terms of information for the people concerned, supervision of transfers and data security ”.
The CNIL ultimately recommends not to rush and choose the cloud provider thoughtfully. The company must ensure that the service will allow the security of its data, and especially their sustainability.
List of the recommendations drawn up by the CNIL
- Clearly identify the data and processing that will go to the Cloud
It is for the company to target the data it wishes to integrate into the Cloud, and to distinguish them according to their personal, sensitive, strategic nature for the company for example.
- Define your own technical and legal security requirements
The company must assess its needs by establishing specifications and verifying that the Cloud provider responds to them effectively and so as to ensure the technical and legal security of its data.
- Conduct a risk analysis to identify the essential security measures for the company
A list of the risks to be considered is available on the website of the European Network and Information Security Agency.
- Identify the type of cloud relevant to the planned treatment
The Cloud service offered can be either public (shared between several customers), private (dedicated to a single customer) or hybrid.
- Choose a service provider with sufficient guarantees
The CNIL recommends choosing a Cloud provider according to the steps it has taken care to detail in its recommendations.
- Review the internal security policy
Regarding a data transfer outside, the company must remain vigilant about the use of data, and all transfers that employees will be required to make via the Cloud.
- Monitor changes over time
The law that protects data is constantly evolving and always better able to protect individual rights, the CNIL recommends that companies regularly check that the contract between them and the cloud provider is in line with its needs, especially when changes are carried out within the company.