The figure below provides a quick recap of the main input entities for data classification regarding P&DP.
Data classification can be accomplished in different ways ranging from “tagging” the data by using other external information, to extrapolating the classification from the content of the data.
The latter method, however, may raise some concerns because, according to the laws of some jurisdictions, this can result in prohibited monitoring actions on content belonging to data subjects (for example, the laws that restrict or do not allow access to the content of email in employer–employee relationships).
The use of classification methods will be properly regulated in the cloud service agreements between the customer and the cloud service provider, to achieve efficacy in classification within the limits set out by the laws ruling access to the data content.
Key Privacy Cloud Service Factors
All the DP requirements are important in a cloud service context; however, it is appropriate to bear in mind the key privacy cloud service factors depicted in the table below.
These key privacy cloud service factors stem from “Opinion 5/2012 on Cloud Computing,” adopted by the WP 29; this working party was set up under Article 29 of Directive 95/46/EC and is an independent European advisory body on data protection and privacy, essentially formed by the representatives of all the EU data protection authorities.
These factors show that the primary need is to properly clarify, in terms of contractual obligations, the privacy and data protection requirements between customer and cloud service provider.