“The use of outsourcing to the cloud and other third party IT services can have a positive impact on competition in financial services”
This quote, taken from the current FCA guidelines on cloud-based data storage, highlights the idea that, not only are cloud-services approved, but they can bring significant benefits.
However, the FCA are also very clear that ultimate responsibility for data protection remains with the business.
So, what measures should you take to ensure you get the full benefit of cloud-storage, while staying on the right side of compliance?
Being able to demonstrate a robust and always updated level of security is crucial to showing due diligence when it comes to the safe storage of data. Work with providers who use high-end measures such as data encryption at rest and in transit, for example.
You need to demonstrate that all reasonable precautions have been made when it comes to preventing data loss and subsequent recovery. Carry out a risk assessment on potential suppliers, understanding fully what measures your cloud-provider has in place for data recovery.
Where’s the data being stored?
The guidelines stress that companies possess: “choice and control regarding the jurisdiction in which their data is stored, processed and managed”. As you retain responsibility for the storage of data, it’s imperative you have a full understanding of where and how data is being stored.
However you use cloud-based storage, the regulations make it very clear that access to the data must be available at all times. This includes access for you as the business-owner, as well as for industry regulators and auditors.
In addition to accessing digitally stored data, the FCA also stipulate a need to have access to physical premises of your cloud-provider. This means working with an IT provider who will have an office or headquarters that can be accessed by auditors and regulators alike.
Public Cloud Services
Use of a public cloud service – such as Office 365 – is allowed under the FCA compliance guidelines. However, clear and demonstrable measures must be put into place when doing so.
Primarily, this means that you must have thorough understanding of the way in which the cloud-provider stores your data in relation to other data on its server. For instance, what measures are in place for keeping your data separate. Understanding what security is in place for your data on the server is also critical for your own due diligence.
As well as protocols for a swift recovery of data, you must also ensure that there are procedures in place for the continuity of your business, should an unforeseen event cause service disruption. You may have adequate measures in the event of a problem within your own operation, but have you taken precautions against problems with your cloud-provider, however unlikely that may be? Suitable back-up provisions should always be a fundamental part of your data protection.
Your provider must have a suitable and easily managed strategy in place in the event that you wish to change or move your data storage services. If you’re outsourcing to a third-party, any changes to another supplier must be able to take place seamlessly and without hindrance.
As the FCA acknowledge, there is a demonstrable benefit to using cloud-services in the financial sector. However, with responsibility for data residing within the business, you have a duty to be diligent when sourcing a provider. Ensuring that you work with reputed IT experts, able to demonstrate and deliver safe, effective storage for your peace-of-mind and your full compliance with the law.
Have more questions about IT for regulated businesses? Click below for more information...