Data is of course at the heart of the vast majority of software applications. In some form or other, applications in the cloud will typically be storing data that relates to you or your customers/clients, and so understanding what this means for your organisation is critical.
Format and accessibility of data
A consideration that is often highlighted too late, is the format in which the software stores the data, and how easy it is to access that data. Moving to cloud software means that all the data is stored with the supplier, and they have the option to make it available to their customers in several ways. Most commonly, standard export functionality on the main user interface is intended for use as a ‘friendly report’ and not as a full export of all data that could be imported into another platform. APIs or ‘connectors’ that allow direct exporting of data into applications such as Power BI can also provide a critical function in supporting organisations to access their cloud-hosted data, but they can be limited in terms of performance, the number of calls made within specific timeframes, or the range and format of data available. Fuller, richer exports that are available may provide a more complete set of information but may not be in a format that can easily be used by another piece of software.
As a result, consider all of the options available for both importing and exporting data from the software – including support for proprietary and open-source data formats. It is important to check whether there are tools available from the solution provider to assist with porting data from one piece of software to another, or even specialist third-party data extraction and conversion solutions. If such tools do not exist, then the technical ties to the data will mean that a short notice period – as is common with cloud software – is redundant when it could take months or even years to migrate data to or from the platform.
Similarly, it is important to understand how easily you can access the data that is stored in the platform; data protection regulations in many countries force cloud service providers to make the personal data they hold accessible to the users whom that data relates to, but the same is not necessarily true of non-personal data relating to businesses. Therefore, it’s important to understand and review the data ownership and access terms and conditions agreed with the service provider. Very few cloud software solutions allow their customers to directly access the underlying databases in which their data is stored, and for those who are used to this level of control and accessibility, it can be frustrating. The challenge can be that while many cloud software providers emphasise how the data remains ‘your’ data, by limiting the ways you can access that data it may not feel much like it is. This may also have a impact on deriving reporting from these systems where in-built reporting and dashboards may be limited and where data is unavailable for download for custom analysis.
Audit rights may also be important when evaluating the service provider’s infrastructure for operational resilience, security controls and compliance with regulatory and legal requirements. As mentioned above, very few cloud software solutions allow their customers to directly access the underlying databases in which their data is stored, and their operational infrastructure. If the software solution stores or processes data that has a potential impact on your organisation’s financial statements, your auditor may request access to the data, and/or to reports that validate the system’s integrity. As a result, organisations can benefit from establishing relevant audit and access rights from the outset and evaluating the service provider’s security and compliance early on. Be aware that some software providers charge additional fees to respond to requests from auditors, which need to be budgeted for.
Volume of data
Many applications allow users to upload media or synchronise emails with their service – photos of documents, receipts and so forth are easy to snap and upload via apps. This can be a key benefit and takes little effort and time to do, but the cumulative amount of data being stored can become significant.
There are three considerations to be made.
- Does the provider have a limit (either hard or recommended) on data volumes? Providers of software solutions targeted at SMEs may not have designed their systems to oversee significant volumes of data traffic, and so performance and stability may be impacted if volumes exceed those limits. If substantial growth of a business is expected, the organisation should understand whether the cloud software is able to scale in parallel.
- Can the cost of storing files ever change? Free services or certain contract tiers may have a limit to the storage and then levy additional charges beyond that figure. This can be at a point when the software has become an essential tool for the user, who is therefore more likely to continue paying for the service. In some cases, storage costs may increase exponentially to discourage data hoarding, while in others, they may reduce as a proportion of the volume of data. Therefore, it is important to understand how the charges work. Your archive strategy and how much data you need to store and for how long will be important to consider here as there may be additional data processing costs to consider.
- Is there the ability to pull back down files/data in bulk, and re-upload to another service should the time come? As data volumes increase, this could potentially take a long time to perform piece by piece, which would be problematic if there was ever a need to migrate from the service quickly.
Data ownership
Ownership of data is more of a cloud-specific issue and may be dependent on the nature of the data owned and where it was created. Where data is created by a business before uploading to the cloud, the business may own the data under copyright laws. However, ownership of data where it is created on the cloud platform may be less clear.
Usually, a cloud service provider would qualify as a processor when a business uses its services. As a controller, you maintain control and ownership of your data and the cloud service provider will process personal data, which is stored within their databases or servers, on your behalf. To ensure this level of control, a clear distinction should be made between the provider’s right to store and process the data and the ownership that is retained by the customer, which should be in the agreement with the cloud service provider. It should be made clear that the cloud service provider cannot do anything with the data unless you instruct them to do so, and the data remains within your control.
Software using generative AI models and capabilities will raise similar concerns and challenges, so it is important to be clear on who owns the data, how it is controlled and if it will or will not be shared with third parties. Learn more in ICAEW’s Generative AI Guide.
It is important to have a good overview of data considerations to incorporate this into agreements with the cloud service provider. Some of those are outline below.
- Check the terms and conditions outlined in the agreement with the cloud service provider to confirm whether the service provider is a data processing agent, which will only process data on your behalf, or a data controller, which has the right to use the data for its purposes as well.
- If highly sensitive and confidential data is being stored on the cloud, review the agreement and legal framework surrounding data storage and ownership.
- Confirm and review the location of where your data will be stored. If in a foreign country, ensure the data regulations match business requirements regarding data ownership and security.
- As mentioned above, accessibility of data is closely linked to ownership, though the two are legally quite distinct. It’s important to ensure that, if you do retain ownership rights over the data held in the platform, that you also retain the ability to access it as and when required.
Data location
Depending on the location of the business, the data may need to be stored in a particular geographical region. Businesses may not want it stored in countries that do not have strict laws when it comes to data protection or may be subject to strict laws in some of the jurisdictions in which it operates. This may mean that, for businesses with an international footprint, data needs to be stored in different locations to meet different legal requirements.
Many UK businesses, and indeed their customers too, will be far happier knowing their data is stored on UK based servers, rather than unknown storage sites scattered around the world, and this may be a requirement for some customers.
Personal data falls under a number of these legal requirements and businesses operating within the EU or UK are constrained to where this data may be stored. Data of these citizens usually needs to be stored within the country of origin, or other nations which have been deemed data adequate, or which fall under special agreements. It is vital to understand the business and legal requirements around the storage of data when considering cloud providers.
Backups
Data loss is one of the most common risks in computing. This might be through accidental or deliberate deletion, corruption, system failure, physical or environmental incidents such as fire, earthquake or flood, or cyber-attack, all of which have the same end result that critical business data may become irrecoverable. Encrypted data can also become inaccessible, if the means to decrypt it is lost. While these risks are typically lower for cloud products, they remain relevant.
The first consideration with cloud computing is to evaluate the backup options the cloud service provider is able to offer. Many cloud service providers offer built-in redundancy, failovers to secondary datacentres, standby databases and expandable storage for scaling as standard. Businesses should assess these options and create a backup strategy that matches the required business needs and enhances the cloud provider’s capabilities, rather than unnecessarily duplicating it.
There are a multitude of reasons for ensuring that a cloud service has regular backups, durable storage and available access points of your data. Even if the cloud service has built-in redundancy, there is a risk that the platform is compromised and their entire environment becomes unavailable, meaning a separate restoration of the data is needed.
As part of the risk review, consider how much data can be lost if a roll back needs to occur. Backups can take place in real-time or over hourly, daily and weekly intervals. They can also be incremental, which minimise storage volumes and impact on a live system but can take longer to restore from, or full, which are the most complete type of backup but can rapidly fill storage capacity. Based on these variables, service providers can offer different options for recovery points, the accepted period of data loss, and the accepted period of downtime and recovery time, which can be as little as a minute or span over weeks. If you can’t afford to lose any date, explore the different options available, communicate that expectation with the service provider and built it into the contractual agreement.
In addition to ensuring that there is the ability to back up data, the process for restoring data should be regularly tested and assurance should be gained from the service provider that they perform such exercises to ensure that their service level agreements (SLAs) around data assurance can be met. Many cloud service providers working with financial data will have ISAE 3402 or SOC 1 reports, which describe the controls they have in place and should be made available to any customer or auditor on request.