Session 2b: Legal, Policy and Regulatory Issues


Session audio recording noted, survey mentioned.
Anonymised survey results will be published.
Summary of results so far, some structuring and seed ideas.
Commercial cloud providers are establishing UK based datacentres.
Transparency on precise terms & conditions for data egress charges ?
Encouragement to complete the survey…. URL is


EMBL – multi site/nation European organisation
Hybrid multi-cloud as strategic response to requirements.
Understanding costs, nature of data to be handled, and cloud options for handling.
Objective analyses of current use patterns, data categories, associated processing costs.
Results in a matrix of what can be done where.
Risk based analysis.
Comparison of cloud providers and associated capabilities.
Note the capability criteria…
Relative cost analyses
EMBL cloud tender for six month trial to explore these approaches and potential solutions.
Procurement lots are spread across several providers.
Contractual negotiations have been time-consuming (complexity)
Both Technical and policy issues
mutual understanding
procurement models


Introductory definitions
Data issues and requirements
Confidentiality, Integrity, Availability, Security, Ownership

Data protection compliance
Legislation – DPA, GDPR…etc.
Personal data – definition
Sensitive areas…examples
NB deceased persons’ data excluded, except where data is relevant to living persons

Data controllers…
Cloud providers – processors
Data localisation (geographic), and associated transfers between locales..
Data processing impact assessments before processing in cloud

Hacking incidents/risks
Encryption requirements
Access controls, multi-factor

GDPR requirements for organisation responsibilities
Also obligations on processors – cloud providers
large fines for breaches

Contractual issues
Standard and negotiated contracts
Terms and conditions..several areas highlighted
Privacy policies