It is important to consider laws to do with confidentiality and security if you are mulling a cloud computing contract -- especially if you store customer data.

Certain laws such as the Data Protection Act (DPA) 1998 -- which polices the collection, storage and sharing of data -- could be breached if you’re not careful.

If you store sensitive customer data, you are obliged to register with the Information Commissioners Office (ICO), which oversees compliance. The ICO can check you store sensitive data securely, never share it inappropriately, and hold on to it only as long as required. (Their website is worth a look.)

In addition to this, legislation dictates you state clearly where you are storing consumer data and forbids the storage of data outside the European Union. If you are considering cloud computing, you need to look out for this because providers can remotely store your data abroad even if their base is in the UK. Even countries such as the US are no-go because of privacy concerns.

So cloud’s remote storage can be a problem. But that doesn’t mean you should rule it out: “The US is a country that does not have adequate protection of personal data. There are lots of ways around that and the vendor, if based in the States, may offer solutions to that problem,” explains Chris Coulter, partner with law firm Morrison & Foerster. “In terms of data protection issues, if you’re in the UK and you transfer personal data outside the EU, you have to ask serious questions about where it’s going and what protections are in place in the jurisdiction you’re sending it to.”

And even if data stored is not sensitive personal data, businesses should still be careful any cloud data outsourcing and processing remains faithful to whatever obligations of security they have with third parties.

Many cloud computing service providers cannot guarantee the security of the data they store, but companies can control access, or restrict data fields to minimise capture and retention of data. You can encrypt your data too, but be aware that this is not a foolproof plan: many cloud providers process data remotely and require all data to be decrypted.

It is your responsibility to have adequate risk management in place, as Tristan Rogers, of software provider Concrete  explains: “If you’re going to effectively rent a remote service from somebody, it’s their service rather than yours. So you need to check the guarantees you’ve got regarding the safety of your data.”

So carry out due diligence: assess the operational risk and compliance implications of your cloud service as you would any other product. When arranging your cloud service, just make sure the service level agreement includes details of how the provider will guard against the loss or damage of data, and unauthorised or illegal processing of data.