Nowadays, the cloud is a reality and, in many cases, a necessity. Several factors have pushed in this direction, including: the need for many companies and organizations to waive the purchase of hardware, which sometimes can be very expensive, and the resulting costs to guarantee the security of both the data as well as the instruments on which they are processed.
This process resulted in an almost "retro" return to the so-called "dumb terminals" that once referred to the mainframe and that today are connected to the "cloud".
As often it happens, simplification was chosen over the security assessment that we were used to put in place in compliance with the existing regulatory framework or the best practices.
However, the idea that relying on a cloud service would involve the complete outsourcing of the "security" issues, simply overturning them to the "cloud providers", whose responsibility is to protect and provide a "necessarily" compliant service, has been widely spread.
Actually, by observing the phenomenon in legal terms, the consequences are numerous.
As a general remark, it is clear that the services that are now provided by the cloud obviate the need that existed before the introduction of the cloud itself, therefore, similar legal issues must be still addressed, in addition to new ones.
In limiting the spectrum of observations to the IT field, from a personal data protection point of view, it will be necessary, for example, to determine where in the "pyramid" of the privacy subjects, the provider is located and this operation cannot be based only on practical convenience.
Another not deferrable need is to verify, well before signing an agreement, the existence and the location of the cloud provider's server farm and the measures adopted in protection of the data stored or processed in it.
Suffice it to say that the cloud provider is not always worldly renown, therefore, the search for competitive rates and performance can increase the risk of running into economic providers, inadequate to comply with the security measures imposed by the regulatory framework and by the risk level that any information default (including loss, theft, data unavailability) could result in.
It is then that an extremely important profile emerges, constituted by the need to carefully evaluate the cloud provider and to create the conditions to carry out periodical checks on the instruments used and on the measures taken for the protection of the information that are managed on the "cloud" or that are processed by third parties non-directly identified from the "data controller".
Naturally, such basic elements are followed by many others, starting with the "chain of suppliers" and continuing with the imposition of standard clauses for the protection of data and the adoption of impact analysis on the data transfer "extra EU".
Lastly, with reference to the agreements with the cloud providers, be aware of unfair terms, the protection of business sensitive data (not only "personal" data) and the business continuity in the event that the effects of the agreements come to an end or that the company/user of the service chooses another cloud provider.
