While cloud solutions offer businesses major advantages in relation to the cost, efficiency and scaling of data processing operations, the new report (68-page / 847KB PDF) highlighted the risk of data breaches if companies fail to manage security risks involved in cloud outsourcing correctly.
The watchdog did, though, provide guidance on how businesses can avoid the common pitfalls associated with technology-related data breaches and take advantage of cloud solutions securely.
The report was the final annual report issued by the Office of the Data Protection Commissioner (ODPC), which was superseded by the Data Protection Commission when the General Data Protection Regulation (GDPR), and associated new Data Protection Act in Ireland, took effect on 25 May this year.
The report set out the main trends and findings of the ODPC between 1 January and 24 May 2018.
During the period, there were 1,198 valid data breach notifications recorded by the ODPC. Of those, 16 technology-related data breaches were investigated by the watchdog.
According to the report, the majority of the technology-related breaches resulted from a data controller’s use of cloud-based environments hosted by third party cloud service providers.
According to the report, the technology-related data breaches all had the following common denominators:
The ODPC emphasised that data controllers employing cloud-based environments as part of their processing of personal data must exercise greater control over the security and monitoring of those environments.
The findings in the report in relation to data breaches involving cloud-based environments are a timely warning in the context of the increasing use of, and reliance on, cloud-based solutions.
The ODPC made recommendations that data controllers can follow to address the security risks identified when using third-party cloud services. It said those organisations should:
The ODPC's findings reflect a broader regulatory focus on the use of cloud services, especially in the context of regulated financial services businesses.
There was further evidence of this focus in a recent report of the Central Bank of Ireland on outsourcing by regulated firms. That report, which is open to consultation until 18 January, raised similar issues around cloud security, governance and risk management.
Dermot McGirr is a Dublin-based data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.