Cloud computing solutions allow small businesses to outsource responsibility for hosting and supporting customer information. In many cases, a third-party can host vast quantities of data for a fraction of the cost of in-house data management solutions, so it's unsurprising that many business owners want to migrate to cloud computing platforms. That aside, some Canadian small business owners are unsure about the legal implications of managing customer data in this way. Learn more about your legal responsibilities when you decide to use cloud computing to host critical business information with these five important questions.
Can Canadian businesses outsource services to companies outside Canada?
Companies outside Canada can offer cloud services more cheaply than their Canadian counterparts. As such, small business owners looking to find the most cost-effective solution will generally turn to third parties in other countries.
Canadian law does not stop businesses and organisations allowing providers to host data outside the country, as long as your activity does not relate to a public sector or government body. In all cases, privacy laws mean that you must make sure that an overseas provider offers a level of security that meets the same requirements as a company in Canada.
Do business owners have to tell customers about cloud solutions?
Under federal law, you don't need to tell customers that their information sits within a cloud computing infrastructure. Similarly, you don't need a customer's consent to host their data in this way. That aside, the Privacy Commissioner of Canada recommends that businesses tell customers these details as a best practice, even if there is no legal obligation.
In some cases, provincial laws apply stricter rules. For example, in Alberta, the Personal Information Protection Act means that you must have a clear policy that identifies the countries where you store data. Your policy must also explain what the service provider can do with the information, and you must share this policy with your clients.
Can small businesses outsource to any country?
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies when any business transfers personal information to another company. This legislation is particularly important when you transfer information outside Canada. One of the main PIPEDA principles is that all organizations must use any available means to make sure a third-party protects customers' data.
Any business using a third-party must make sure that the company has the right policies and processes in place to protect customer data. Your business must also have the opportunity to audit and inspect what the service provider does. As part of this, you must consider every part of the transaction.
As such, your risk assessment should consider the environment in the host country and if any issues could affect data integrity. In some cases, you may decide that a certain country is not suitably secure and robust to offer a cloud solution. If you faced a complaint, consider how easily you could show the authorities that you took reasonable precautions with a customer's data. If you don't think you could adequately prove this, you should consider alternative suppliers.
Who is liable for a data breach?
The original organization is always legally responsible for data security, even if the company outsources data to a third-party. As such, even if you have a comprehensive contract with a supplier, the Canadian authorities will still hold you liable for any issues that arise.
Cloud computing introduces new risks of data interception and theft. You should work with your supplier to make sure suitable security controls are in place. For example, an encryption technology like SSL offers protection to information that you share over the Internet. As a small business owner, it's important that you understand what these terms mean because you may have to explain the precautions you took to the Canadian authorities.
What sort of supplier contract do you need?
You should ask your lawyer to check all contracts with a third-party before you finalize the agreement. It's not always easy to set out the jurisdiction that applies to the contract. For example, while your business location is important, you also need to make sure you specify where your supplier will hold your data. If your service provider has connections with several countries, the issue of jurisdiction becomes complex.
Other clauses your lawyer may consider include:
- An obligation for the service provider to co-operate with the Canadian regulator
- A provision that says the provider holds the information 'in trust'
- A defined limit or restriction on the things your service provider can do with the information
- An obligation that the service provider abides by certain information security standards
Don't just accept the standard contract a supplier offers you. A lawyer can help you negotiate any parts of the contract that may expose your business to risk.
Cloud computing solutions can save your small business money, but this technology introduces new legal risks for your company. Carefully consider your choice of service provider, and seek legal help at a law office to make sure you meet your data protection responsibilities.