How to comply

Your cloud services solution might not involve the provider accessing your information at all.

Some access to information will be relatively innocuous - such as automatically shifting files around to optimise performance.

But you need to ask. You're not on the spot, so you can't control things directly - you're reliant on the provider to get it right. Your customers trust you to make sure their information is properly protected.

Any use of personal information should be directly related to the purpose for which you've got the information in the first place. If it's being used for a new purpose, that should almost always be authorised by the person the information is about.

What the provider should tell you

what purposes the provider may need access for, if any?
are optimisation or other analytical processes carried out by the provider's staff, or are they automated?
which staff have access to the information?
how is that access controlled and monitored?
does the provider maintain an audit trail for who accesses the information and what for?
can the provider use your information to develop its own products or for its own commercial gain - such as collecting statistics from your data to sell as a product to others?

Back to checklist