Cloud Computing 2024 - Part 2
Contents
- 4. Vendor Management
- 4.1 Due Diligence
- 4.2 Data Protection in Cloud Service Agreements
- 4.3 Data Processing Agreements and the Cloud
- 4.4 Exit Strategies and Data Migration
- 5. Data Breach Notification
- 5.1 Requirements to Report Data Breaches
- 5.2 Investigating and Remedying Data Breaches
- 5.3 Notifying Data Breaches
- 6. International Data Transfers
- 6.1 Cross-Border Transfer Regulation
- 6.2 Data Localisation
- 6.3 Conflicts of Law
- 7. Compliance and Audits
- 7.1 Cloud Computing and Compliance/Audits
4. Vendor Management
4.1 Due Diligence
Thorough due diligence is essential when selecting a cloud provider to enhance data protection in cloud environments and ensure compliance with legal requirements, primarily the DP Law.
Although no formal list is published by the authorities, cloud users should consider the following key matters before selecting a cloud provider:
- – location of servers where personal data is stored;
- – legal jurisdiction governing the data, especially if stored across multiple countries;
- – cloud provider’s compliance with legislation, industry regulations and standards;
- – liability and indemnity clauses, ensuring the cloud provider complies with regulatory and contractual requirements, as well as the right to audit the cloud provider’s compliance;
- – adequate system capacity (eg, maximum resource capacity, input processing rate over time and data transfer volume over a specified period);
- – specific methods used to facilitate service resilience and fault tolerance;
- – specific clauses regarding the backup and restoring of data;
- – specific clauses regarding data ownership rights and how they are enforced;
- – appropriate technical and administrative measures for processing personal data (see 2.1 Data Security and the Cloud);
- – available cloud service support plans and methods;
- – service level agreements (SLAs) for uptime guarantees, performance metrics and support response times;
- – data migration process to the cloud;
- – a clear exit strategy, including data portability support in transitioning to another provider or back to on-premises solutions, as well as the process for securely deleting data;
- – disaster recovery plan for incidents such as cyber-attacks or natural disasters;
- – policies and procedures for ensuring data security and responding to law enforcement requests;
- – changes to features and functionality and the process of termination of services, including the length of time that data and logs are retained, notification procedure and return of assets; and
- – relevant certifications, such as ISO 27001.
It is important to emphasise that the key points mentioned above should be considered not only when selecting a cloud provider and negotiating the service agreement but also throughout the entire duration of the service relationship. This is because the controller is responsible for ensuring that processors implement the necessary measures while engaged in data processing on their behalf.
4.2 Data Protection in Cloud Service Agreements
Data Protection Requirements in Cloud Agreements
Cloud agreements typically include data protection clauses that commit the parties to comply with applicable data protection laws, such as the DP Law and other legislation relevant to cross-border transfer, if it occurs.
These provisions are often reinforced by confidentiality clauses and intellectual property provisions that clarify the protection of confidential information, restrictions on disclosure, and the ownership of personal data processed or derived in cloud environments.
In its Guidelines on Data Controllers and Processors (the “Guidelines on Controllers and Processors”) and various resolutions, the DPA explicitly states that processors must conduct their data processing activities on behalf of controllers strictly in accordance with the controller’s instructions.
Therefore, controllers should include the processor’s commitment to comply with their instructions in writing within the cloud agreements, ensuring that they are clear and aligned with the controller’s needs. For instance, relevant technical and administrative measures to be implemented by processors (see 2.1 Data Security and the Cloud) can be detailed in cloud agreements, along with the processor’s commitment to comply with data disposal requests from controllers (see 3.3 Data Retention and Deletion).
Although the DP Law does not directly mandate controllers and processors to conclude DP Agreements, the Guidelines on Controllers and Processors indicate that the DPA expects the parties to establish DP Agreements to clarify their respective duties and responsibilities (see 4.3 Data Processing Agreements and the Cloud).
For this purpose, in market practice, the parties typically adhere to separate DP Agreements, which regulate data processing activities related to the service agreement between them. These agreements generally outline the obligations of controllers and processors by referencing the DP Law and often include penalty and indemnity clauses in cases of non-compliance.
Measures for Ensuring Cloud Providers Comply with Data Privacy Regulations
Administrative fines and criminal penalties generally serve as strong deterrents for ensuring compliance (see 1.3 Penalties for Non-compliance With Data Privacy Regulations).
However, cloud providers are typically classified as processors and are thus exempt from administrative fines, except for failing to notify the DPA within five business days following the execution of standard contractual clauses (SCCs). Therefore, processors’ accountability to the controller is reinforced through DP Agreements, which clearly define the cloud providers’ roles, responsibilities and obligations, with particular emphasis on penalties and indemnity clauses (see 4.3 Data Processing Agreements and the Cloud). These clauses promote accountability among processors and facilitate dispute resolution by outlining procedures for addressing breaches, ultimately safeguarding the interests of both parties and enhancing overall data governance.
Furthermore, controllers must ensure that appropriate technical and administrative measures are implemented by their processors. Therefore, DP Agreements should include clauses granting the controller the right to audit processors’ activities. Regular and unannounced audits are essential to verify that these measures are continuously applied and that processors comply with the DP Law.
Additionally, it is crucial for DP Agreements to include provisions ensuring that processors adhere to the controller’s policies on personal data storage and destruction.
On the other hand, in market practice, the technical measures implemented by cloud providers are often reinforced by supplementary technology services-related agreements, such as IP licences and SLAs. For instance, SLAs often incorporate clauses related to incident management to effectively manage risks and enhance overall service reliability. They establish clear expectations and include provisions for penalties or service credits if performance standards are unmet.
4.3 Data Processing Agreements and the Cloud
The DP Law does not explicitly mandate a DP Agreement; however, it can be inferred from the DPA guidelines that the DPA expects controllers to enter into a DP Agreement when entrusting data processing activities to a processor (see 4.2 Data Protection in Cloud Service Agreements).
DP Agreements typically include the following key elements:
- – roles, responsibilities and obligations of the parties;
- – requirements for the use of sub-processors;
- – technical and organisational measures;
- – procedures for data export, migration and deletion;
- – data transfer and cross-border transfer provisions;
- – documentation and records of processing;
- – data breach notification procedures;
- – liability and indemnification clauses; and
- – certifications and audit procedures.
Although the authority to decide on the purpose and means of data processing activities belongs to controllers, the DPA clarifies in its Guidelines on Controllers and Processors that controllers may grant processors (eg, cloud providers in cloud environments) the authority to make decisions on certain matters. The following matters are listed as examples:
- – which IT systems or other methods will be used for the collection of personal data;
- – methods by which personal data will be stored;
- – details of security measures to be taken for the protection of personal data;
- – methods by which personal data will be transferred;
- – methods to be used for the accurate application of retention periods for personal data; and
- – methods for deleting, destroying and anonymisation of personal data.
In market practice, the cloud sector is dominated by a few major operators such as AWS, Microsoft Azure and Google Cloud. As a result, cloud users (controllers) often accept DP Agreements or terms and conditions unilaterally drafted by cloud providers. This is largely due to the imbalance in bargaining power and the impracticality of providers signing individual agreements with each user, which often results in a “take it or leave it” approach with little to no room for negotiation.
4.4 Exit Strategies and Data Migration
Termination and Exit Strategies in Cloud Service Agreements
Cloud service agreements are not specifically regulated under Turkish law. Therefore, there are no specific legal requirements for their termination. In such cases, general rules and principles of contract law apply.
One of the key principles established by the Turkish Code of Obligations (TCO) is the freedom of contract, which allows parties to define nearly every aspect of their relationship, including the inclusion or exclusion of specific termination rights, as long as these terms do not conflict with mandatory legal provisions.
In the context of a cloud environment, cloud agreements are typically executed for a definite term and include renewal options at the end of this period. Parties may terminate the agreement by providing notice to the other party within the agreed notice period before the term ends or choose to renew the agreement.
The most commonly used termination clauses are as follows.
- – Termination for convenience clauses allow either party to terminate the contract before the end of the term with notice. Parties typically define a reasonable notice period that must be followed when terminating the cloud agreement. However, under the TCO, parties may also terminate without notice if: (i) granting time would be ineffective, (ii) the obligation becomes useless due to the other party’s fault, or (iii) the contract specifies that performance at a particular time or within a specific period is essential and will no longer be accepted due to non-performance.
- – Termination for cause clauses enable parties to terminate the contract immediately, without notice, for justified reasons related to a significant breach of the agreement, such as non-compliance with data protection laws, failure to pay fees or failure to meet other critical contractual obligations.
- – Force majeure clauses allow both parties to terminate the agreement without penalties in the event of unforeseen circumstances (eg, natural disasters, regulatory changes) that prevent the fulfilment of obligations.
Data and Services Migration Between Cloud Providers
While no specific legislation regulates migration requirements, controllers must implement appropriate measures when transferring personal data to ensure compliance and data security (see 2.1 Data Security and the Cloud).
It is crucial for cloud users to conduct comprehensive due diligence before initiating cloud migration, carefully assessing the risks to the confidentiality, integrity and availability of data while also considering applicable legal requirements. Controllers should also conduct a data protection impact assessment (DPIA) if the data are transferred to a third country (see 6.1 Cross-Border Transfer Regulation).
There are different types of cloud migration methods, which are selected based on the situation's needs, used by cloud providers. The most common cloud migration methods are:
- – rehosting involves moving an exact copy of your on-premises system to the cloud without major changes;
- – replatforming makes minor optimisations for the cloud while keeping the core architecture intact;
- – repurchasing replaces existing applications with cloud-native products, such as SaaS platforms;
- – refactoring involves rebuilding applications from the ground up to leverage advanced cloud features like auto-scaling;
- – retiring decommissions outdated applications that are no longer needed; and
- – retaining postpones application migration due to compliance, recent upgrades or other reasons, allowing for future reassessment when cloud adoption makes more sense.
It is important to consider any sector-specific requirements when selecting from the aforementioned migration methods and to ensure that data loss prevention measures are implemented during the migration process.
In the market, major cloud platforms like AWS, Microsoft Azure and Google Cloud offer portability solutions, ensuring that services can run on new cloud infrastructures with minimal modifications.
5. Data Breach Notification
5.1 Requirements to Report Data Breaches
The rules for notifying data breaches under the DP Law also apply when breaches occur in a cloud environment. The obligation to notify the DPA rests solely with the controller, even if the breach originates from the processor (eg, cloud provider).
In practice, cloud providers often detect breaches before cloud users, as they own and manage the cloud systems. As a result, cloud providers are typically obligated to report these breaches promptly to the cloud users, as stipulated in DP Agreements. This obligation may include strict deadlines for notification, such as within 12 hours of the provider becoming aware of the breach. This urgency is crucial, given the limited timeframe for controllers to notify the DPA (see 5.3 Notifying Data Breaches).
Moreover, failure to report breaches in a timely manner is typically addressed by penalty and revocation clauses within these agreements, designed to hold cloud providers accountable. For instance, if a controller incurs an administrative fine due to a delay in notifying the DPA ‒ resulting from the provider’s negligence in reporting the breach ‒ the controller may exercise their right to seek revocation or other remedies as outlined in the contractual agreement.
5.2 Investigating and Remedying Data Breaches
In the event of a data breach, the following steps are usually followed by cloud providers to mitigate the damage caused and improve the security system as per best market practice:
- – promptly containing the data breach by disabling affected accounts, changing passwords and isolating compromised systems to prevent further damage;
- – assessing the impact of the data breach by determining the scope of the compromised data, identifying affected cloud services and understanding the type of data breached (personal, financial or sensitive business information);
- – notifying relevant parties promptly about the data breach, as this is often a legal requirement ‒ communication should include details about the breach, affected data and measures being taken to address the issue;
- – understanding legal obligations, which may include reporting the breach to authorities and affected individuals within specific timeframes ‒ failure to comply with legal requirements may result in significant fines and further damage to reputation;
- – developing a recovery plan to ensure the resumption of normal operations while enhancing the cloud environment's security against future breaches; and
- – conducting a post-breach analysis to investigate the causes of the breach ‒ this may include action plans to improve security measures, awareness training and enhancements to the incident response plan for better future preparedness.
5.3 Notifying Data Breaches
In contrast to the GDPR, the DP Law requires that all personal data breaches be notified to the DPA, regardless of whether the breach is unlikely to pose a risk to individuals’ rights and freedoms.
While the DP Law does not specify a timeframe for breach notifications, the DPA’s resolutions suggest that controllers must notify the DPA within 72 hours of becoming aware of a breach.
This notification should be made by submitting the online form available on the DPA’s website. The controller must provide the following information, along with relevant annexes serving as proof.
- – Details on the Controller:
- – title/name and address of the controller; and
- – name and contact information of third parties preparing the notification on behalf of the controller (if applicable).
- – Details on the Data Breach:
- – type of notification (initial or follow-up);
- – start, end, and detection dates and times of the breach;
- – if the breach was reported to the controller by the processor, the processor’s name and address, detection date and time, and notification details;
- – sources and details of how the breach occurred;
- – affected security aspects (data confidentiality, integrity and/or availability) and specifics;
- – detection method of the breach;
- – categories of personal data affected;
- – number of data subjects and records affected, including reasons for any estimates;
- – affected data subject groups; and
- – impact on data subjects.
- – Details on the Notifications Made:
- – reasons for any delay if the notification to the DPA was not made within 72 hours of breach detection;
- – details of notifications to data subjects (including date, method, and ways to obtain further information); and
- – information on notifications to other domestic or international organisations/institutions.
- – Potential Consequences of the Data Breach:
- – severity of the impact on data subjects; and
- – severity of the impact on the controller’s organisation.
- – Details on the Measures Taken:
- – information on training received by employees involved in the breach over the past year;
- – technical and organisational measures implemented before the breach;
- – technical and organisational measures taken or planned post-breach; and
- – estimated completion time for the planned measures.
If the controller cannot provide all requested information within the 72-hour period, they are allowed to submit an initial notification with the available details, followed by a follow-up notification as additional information becomes available.
In addition to notifying the DPA, controllers are required to inform data subjects affected by the breach within a reasonable timeframe and without undue delay. If the contact information for the affected data subjects is available, the notification can be sent directly. If not, appropriate methods should be employed, such as publishing the notification on the controller's website.
The communication of the breach from the controller to the data subject should be made in clear and plain language and must include at least the following:
- – when the data breach occurred;
- – categories of personal data that are affected by the breach;
- – possible consequences of the breach;
- – measures that have been taken or advised to be taken by the data subject after the breach to mitigate the negative effects of the data breach; and
- – the contact ways to inform the data subjects about the data breach.
The DP Law does not specify a particular type of administrative fine for failing to notify data breaches. However, according to DPA’s decisions, controllers who fail to notify the DPA and affected data subjects of a data breach are considered to have failed to implement necessary technical and organisational measures (see 1.3 Penalties for Non-compliance with Data Privacy Regulations).
On the other hand, in addition to the personal data breach notification requirements under the DP Law, a few sector-specific regulations also mandate notifying relevant authorities (eg, ICTA, BRSA) in the event of data breaches. Some of these regulations include the following.
- – In the telecommunications sector, under the By-Law on Network and Information Security in the Electronic Communications Sector, operators are mandated to notify the ICTA of any network and information security breaches affecting more than 5% of subscribers and disrupting business continuity.
- – In critical sectors, the Communiqué on the Principles and Procedures Regarding the Establishment, Duties, and Operations of Cyber Incident Response Teams requires critical infrastructure service providers to establish cyber-incident response teams that implement measures against cyber-attacks and conduct activities to prevent incidents or mitigate damages, including notifying the National Cyber Incident Response Center of cybersecurity incidents.
- – In the banking sector, according to the By-Law on Banks and Electronic Banking Services, banks are required to report cyber incidents to the BRSA.
Co-ordination With Cloud Service Providers
Under the DP Law, processors are not directly responsible for notifying the DPA or informing affected individuals in the event of a data breach; this responsibility falls on the controller. However, in its Announcement on the Procedures and Principles for Notification of Personal Data Breaches, the DPA states that processors must promptly inform the controller upon becoming aware of any breach, allowing the controller to take appropriate action.
If processors fail to inform the controller of a breach, the controller may still face penalties for failing to notify the DPA, even if the failure is due to the processor’s fault or negligence.
Therefore, it is essential to have a written DP Agreement that clearly defines the responsibilities of both the cloud user and the cloud provider and outlines breach notification procedures. This ensures proper co-ordination between the parties, allowing the cloud user to fulfil its legal notification obligations (see 5.1 Requirements to Report Data Breaches).
6. International Data Transfers
6.1 Cross-Border Transfer Regulation
International data transfers in the context of cloud computing under Turkish law are primarily governed by the DP Law, which imposes strict rules to ensure that the rights of data subjects are adequately protected when transferring personal data outside of Türkiye.
The mechanisms for transferring personal data abroad were recently amended to align with the GDPR. The new regime provides two primary gradual options for non-occasional data transfers abroad and an alternative solution for occasional data transfers abroad.
The main gradual options for non-occasional transfers are:
- – adequacy decisions; and
- – appropriate safeguards.
Per the DP Law, data transfers abroad can first be conducted based on adequacy decisions. If no adequacy decision exists, such transfer can be carried out by appropriate safeguards. If this is not possible, the solution for occasional transfers can be used for certain situations.
In line with the former regime, adequacy decisions remain a valid legal basis for international data transfers. The DPA is now empowered to issue adequacy decisions not only for countries but also for international organisations (eg, EU, United Nations) and certain sectors (eg, automotive sector, postal sector) within third countries. However, the DPA has not yet announced any adequacy decision.
In the absence of an adequacy decision, data transfers abroad are still possible through the implementation of appropriate safeguards. These safeguards are only applicable if the conditions for processing personal data are met, and data subjects can exercise their rights and access effective legal remedies in the third country where the data will be transferred.
Although not explicitly stated as a requirement for appropriate safeguards under the DP Law, conducting a transfer impact assessment can be regarded as essential for ensuring that data subjects can adequately exercise their rights and access effective legal remedies in the third country of the data importer.
There are primarily four established methods for implementing appropriate safeguards:
- – an agreement (excluding international treaties) between public institutions and organisations or international organisations abroad and public institutions and organisations or public professional organisations in Türkiye, subject to the DPA’s approval;
- – binding corporate rules (BCRs), subject to the DPA’s approval;
- – SCCs announced by the DPA, with a requirement for notification to the DPA within five business days from the date of the signature of SCCs; and
- – a written undertaking containing provisions that will provide adequate protection, subject to the DPA’s approval.
If occasional data transfers abroad occur without an adequacy decision, and appropriate safeguards cannot be ensured, the transfer may still be allowed under the following conditions, provided the transfers are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business and one of the following criteria is met:
- – the data subject has explicitly consented to the transfer after having been informed of the possible risks of such transfers;
- – transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
- – transfer is necessary for the conclusion or performance of a contract concluded between the controller and another natural or legal person in the interest of the data subject;
- – transfer is necessary for an overriding public interest;
- – transfer is necessary for the establishment, exercise or defence of a right;
- – transfer is necessary for the protection of the life or physical integrity of the person who is unable to give themself consent due to actual impossibility or whose consent is not legally valid; and
- – transfer is made from a register that is open to the public or to persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.
It is important to emphasise that the regulations outlined in the DP Law concerning the transfer of personal data abroad and to international organisations also apply to onward transfers carried out by both controllers and processors.
Controllers must ensure that their processors implement appropriate technical and administrative measures, particularly when transferring personal data abroad. Due to their international operations, cloud providers often utilise subprocessors located in various third countries, which introduces additional complexities regarding data protection compliance.
Cloud users acting as controllers are obliged to confirm that the cloud providers implement adequate safeguards for any data transfers to these subprocessors outside of Türkiye. If the service provider fails to establish these safeguards, the responsibility may ultimately fall on the cloud user, exposing them to potential fines.
To mitigate these risks, cloud users should ensure that DP Agreements clearly delineate the responsibilities and obligations of both parties. This includes incorporating specific instructions from the controller regarding data handling practices, such as the cloud provider’s responsibility to implement adequate safeguards and robust liability and indemnity clauses.
6.2 Data Localisation
While there is no general requirement for companies to maintain cloud computing infrastructure or conduct data storage activities exclusively within Türkiye, certain sector-specific regulations do apply (see 1.1 Data Privacy and Cloud Computing).
Banking and Finance Entities
The following entities must keep their primary and secondary information systems in Türkiye:
- – banks;
- – payment institutions and electronic money institutions;
- – insurance and private pension companies (excluding services like email, teleconference or videoconference);
- – capital markets institutions; and
- – financial leasing, factoring and finance companies.
Electronic Communications Providers
In principle, electronic communications providers cannot transfer traffic data and location data abroad, for national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of data subjects.
Social Network Providers (SNPs)
SNPs whose daily access is more than one million must take necessary measures to retain their Turkish users’ data in Türkiye.
Public Institutions and Organisations
Data from public institutions and organisations must not be stored in cloud services, except within the institutions’ own private systems or with local service providers under their control.
Additionally, critical information (eg, population records, health records, communication data, genetic data and biometric data) must be securely stored within Türkiye. This obligation also applies to entities providing critical infrastructure services.
Commercial Electronic Message Management System Integrators
The information processing system used in integrator services, including software, hardware and server infrastructure, must be located within a database inside Türkiye.
6.3 Conflicts of Law
Conflicts of Law in Cross-Border Data Transfers
Unlike the GDPR, the DP Law does not provide clear regulations on territorial scope. As a general rule, the DP Law applies to controllers and processors established in Türkiye.
However, based on the DPA’s decisions, it appears that when data processing activities occur in Türkiye or involve data subjects located in Türkiye, the DP Law is applicable. In an unpublished decision, the DPA emphasised that the territorial scope provisions of the TCrC, which apply to offences committed in Türkiye or deemed to have been committed in Türkiye, meaning the offence is either partially or entirely committed in Türkiye or its effects occur within Türkiye, should serve as the basis for applying administrative fines defined under the DP Law. This implies that the DP Law shall be applicable if the behaviour or the result occurs in Türkiye.
Therefore, DP Law requirements should be considered for processing activities in cloud environments, when applicable. Controllers must be aware that while the DP Law aims to align with the GDPR, compliance with the GDPR does not ensure compliance with the DP Law.
Risks and Challenges Associated with International Data Transfers in the Cloud
International data transfers in the cloud context can pose various risks and challenges under applicable legislation, particularly the DP Law in Turkish law.
Controllers must select appropriate mechanisms for such transfers and implement necessary technical and administrative measures as mandated by DP Law. For instance, it can be inferred from the DP Law that a data transfer impact assessment should be conducted when relying on appropriate safeguards, as different countries may have varying levels of data protection and security standards (see 6.1 Cross-Border Transfer Regulation).
Although controllers must rely on appropriate safeguards for non-occasional transfers, obtaining regulatory approval is quite challenging; since the enactment of the DP Law, only ten controllers have managed to obtain such approval. Additionally, each application for regulatory approval poses the risk of incurring administrative fines if the data transfer abroad occurs before receiving the DPA’s approval (see 6.1 Cross-Border Transfer Regulation).
As a result, recent market practices indicate a tendency to prefer SCCs with an obligation to notify the DPA, rather than seeking regulatory approval through written undertakings or BCRs.
On the other hand, relying on SCCs presents its own set of challenges. In the cloud computing landscape, a handful of major operators dominate the market, complicating the negotiation process for clients seeking to implement SCCs. While some of these providers have begun the process of aligning their contracts with SCC requirements, the sheer volume of clients they serve often results in a one-size-fits-all approach to agreements. This dominance limits the flexibility for individual clients to negotiate terms that may better suit their specific needs.
Another challenge associated with SCCs is the requirement for wet signatures from all parties, along with notarised and, if applicable, apostilled documents that certify the authority of the signatories.
This requirement can create significant logistical hurdles for cloud providers with a large client base, as co-ordinating these processes for numerous clients can be time-consuming and resource-intensive, potentially delaying the establishment of necessary data transfer agreements.
As the regime for data transfer abroad is relatively new, many aspects still require clarification through guidelines and resolutions to be issued by the DPA.
7. Compliance and Audits
7.1 Cloud Computing and Compliance/Audits
Cloud Audits as Technical Measures
Under DP Law, controllers are obligated to conduct regular audits within their organisations. This requirement also extends to the processing activities conducted by their processors, ensuring that compliance measures are effectively implemented throughout the entire data handling chain. Therefore, cloud computing audits can be regarded as mandatory for implementing appropriate compliance measures, and failure to conduct these audits may lead to administrative fines under the DP Law (see 1.3 Penalties for Non-compliance With Data Privacy Regulations). Additionally, the controller's right to audit is typically incorporated into DP Agreements and reinforced with penalty and liability clauses.
On the other hand, in market practice, certain industry actors are expected to adopt standards such as ISO 27017:2015, which offers guidance on the information security aspects of cloud computing, including specific audit standards and effective security controls tailored to the cloud environment.
Compliance audits can be conducted either by internal IT teams or outsourced to third-party service providers. Sector-specific regulations must also be considered, as some industries, such as banking, are subject to legal requirements when outsourcing third-party services.
Engaging independent auditors is also a common practice that enhances credibility by providing impartial assessments, which is crucial for ensuring the integrity and accuracy of audit reports for compliance. Organisations often utilise standardised frameworks like ISO 27001 to maintain consistency and comprehensiveness in reporting, complemented by internal quality assurance processes that review findings before finalising reports.
Key Matters to be Considered for Cloud Audits
Compliance audits aim to ensure that cloud infrastructure meets laws and regulations while identifying vulnerabilities, inefficiencies, and security gaps. Key focus areas for compliance audits, particularly in cloud computing, include:
- – identifying all cloud assets to determine what needs protection;
- – reviewing identity and access management policies, including authentication and authorisation mechanisms;
- – assessing the effectiveness of encryption methods and key management processes;
- – evaluating data backup and disaster recovery policies;
- – checking network security, firewalls, and intrusion detection/prevention systems;
- – ensuring adherence to industry regulations and standards;
- – verifying that proper monitoring and logging solutions are in place;
- – confirming the existence of an effective incident response plan and procedures to identify and report security incidents;
- – assessing compliance of third-party vendors and suppliers; and
- – reviewing the physical security of data centres to ensure the safety of cloud servers.
Effective management of audit trails and logs is also crucial for maintaining security and compliance. Organisations often implement centralised logging solutions that aggregate logs from various cloud services and applications, facilitating easier monitoring and analysis. Establishing retention policies is also essential (See 3.3 Data Retention and Deletion). Access to logs is controlled through restrictive measures, allowing only authorised personnel to view and manage logs, thereby preventing unauthorised access.
Addressing audit findings requires a systematic approach. Organisations typically develop action plans that outline specific steps to address specific steps, timelines and assigned responsibilities. Follow-up audits may also be conducted to verify that the issues have been appropriately addressed and mitigated.
* Originally published by Chambers & Partners on October 8, 2024.