FAQs

In public cloud arrangements, your data would generally be distributed across multiple data centres potentially in different countries. Some jurisdictions may however have data protection or 'localisation' laws which require certain data to be stored within the local jurisdiction. In these cases, you should consider whether the cloud provider has a data residence policy which specifies where it intends to process data.

When setting up private cloud arrangements, you may be able to specify in which data centres or in which countries you would like your data to be stored. The data may still be distributed across multiple data centres, but as the private cloud provider dedicates specific resources and infrastructure for the sole use of each user, there may also be scope for customised arrangements as to how and where data are stored.

The need to keep the affairs of clients confidential does not prevent firms outsourcing services. Firms can evidence compliance by taking appropriate steps to ensure that clients’ confidential information will still be protected whilst stored in the cloud. As with all technology, the SRA advises that firms can do this by carrying out proportionate diligence of the provider’s systems for protecting confidentiality - see their guidance and that of the ICO's for further information. Terms of engagement with certain clients may in some cases impose restrictions on storing their data in the cloud and firms should check these.

Some law firms opt for hybrid cloud strategy, which is a combination of both private and public clouds within the firm's infrastructure, so that both data and applications can be transferred, subject to user permission, back and forth between the two cloud environments. Generally speaking, in a hybrid arrangement, users would opt for databases (especially those containing confidential or sensitive data) to be hosted on the private cloud element while the public cloud element would host the applications that utilise the data within those databases.

A starting point is to check the international standards (many of them widely recognised) with which the cloud provider is compliant and for which it is certified, and whether those constitute standards sufficient to your IT team's expectations.