Data governance in a digital world and moving data do the cloud – legal aspects

Publication date: February 23, 2023

In today’s legal world, new technologies are being used more and more often, which are aimed at modernizing the work of lawyers. Data privacy and protection is a priority in today’s increasingly digital world, where a rapidly changing regulatory landscape creating challenges for business and more and more data is sent to the cloud. The momentum towards digital transformation is moving fast in many countries and this is another changing space that is exciting and challenging.

What sorts of challenges we are seeing being created by changes in digital world?

Cloud and retail technologies have advanced significantly, including customer understanding of the level of robustness and security of these solutions. A market of new technologies is changing at a great speed. There is a proposal for more demand and many large enterprises needs for cloud solutions that can be offered to law firms or businesses – and what happened during the pandemic is that many companies made efforts to digitize their space and realized that digitization is no longer a luxury area.

Customers really need to know what data is being placed in the cloud and the risks involved. Clients need lawyers who understand new technologies and moving data to the cloud. This reduces the risk that data stored in the cloud will be stolen. The legal market is changing more and more in this respect. Especially in the European Union, clients are eager to look for lawyers who are familiar with new technologies and cloud data management. This is related to the growing strength of legal branches such as the law of new technologies or intellectual property law. We cannot forget the fact that the modernization and digitization of the legal market in the European Union has completely changed the nature and functioning of law firms.

The fact that has contributed most to the expansion of the use of the cloud by law firms is the increasingly free access to the Internet by entities affiliated with law firms.

Cloud services are gaining the Polish market

The interest in cloud services is constantly growing, and the investment boom in the data center market has been visible for several years. Poland is one of the leaders of digital transformation in the CEE region – the use of cloud services for business purposes in at least one area is declared by 8 out of 10 managers. The situation looks better only in Hungary. Cloud services are used in various areas of business. In Poland, these are most often settlements and payments as well as marketing. Managers from Poland perceive the increase in data security as the greatest benefit of using cloud services. Paradoxically, this same factor is also the greatest source of anxiety. 7 out of 10 Polish companies fear leakage of sensitive data and exposure to industrial espionage.

The cloud = cybersecurity

The growing needs of companies related to economic and social factors, such as a pandemic or international conflicts, shape and will shape the IT business in Poland and in the world. Important factors also include the growing need for adequate data protection. In addition, 69 percent of companies in Poland recorded at least one cyberattack in 2021.

The visible trend we see in 2022 is that companies increasingly see the need to invest in protection against attacks and cybersecurity solutions. This trend is noticeable regardless of the industry represented or the size of the business, both in the sector of larger companies.

Application in the cloud, or what is SaaS

Saas, or software as service. This is exactly what SaaS is – sharing the software installed with the service provider over the Internet. The origins of this solution date back to the late 90s, when the first SaaS solutions began to appear as a response to the older, less efficient software sharing model, i.e., ASP.

The legal basis for the functioning of the cloud

In the last few years, the European Parliament has issued at least several legal acts regarding the provision of cloud services. The cloud is a service, as clearly stated in Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures for a high common level of security of network and information systems across the Union. According to the resulting definition, a cloud computing service is a digital service that allows access to a scalable and flexible set of computing resources for shared use. The operation of cloud computing was presented in a more vivid way by the European Commission in the communication of 27 September 2012 to the European Parliament, the Council of the European Economic and Social Committee and the Committee of the Regions on the use of the potential of cloud computing in Europe. It indicates that the cloud computing service allows you to store content in the cloud. The cloud can serve the consumer as a digital content storage cabinet, as well as a synchronization tool to access this content from different devices.

The basis for the provision of a cloud service is an agreement between the provider of cloud solutions and their recipient.

The regulations for the provision of cloud services are set out, among others, in the GDPR. Technical requirements, information on the scope of content transfer and the complaint procedure were specified there. Regulations have also been applied within the framework of the European Free Trade Association.

Remote (hybrid) work is also related to regulations on cloud services. These are relatively new regulations that are just coming into force in Poland.

The labor market has changed dramatically over the last few years, mainly due to the pandemic. Remote and hybrid work are now common work models, hence the adaptation of the Labor Code to the new realities. The new Labor Code includes a chapter on remote work regulations (replacing the existing provisions on teleworking). According to the new law, you can work remotely on a full-time or hybrid basis (partly at home, partly in the company). Remote work will also be allowed in the event of disagreement with the trade unions or the issuance of regulations. In such a case, the employer specifies the rules for performing remote work in the order to perform remote work or in the contract concluded with the employee, respectively. In the event that the employer does not have an agreement or regulations on remote work, it may be applied at the request of the employee concerned. The new regulations authorize the employer to carry out inspections of the employee at the place where he performs remote work. Such control will be based on the rules set out by the parties in the regulations, remote work order or in the agreement concluded with the employee by the employer.

The control is to include compliance with information security and protection requirements, including personal data protection procedures at the place of work, as well as health and safety rules.

Each employee gains the right to 24 days of remote work during a calendar year. The provision is to be applied in incidental circumstances, justified only by the employee’s needs. An example might be the need to care for a family member.

The parties may agree on the rules for the use by an employee performing remote work of materials and work tools, including technical devices, necessary to perform remote work, not provided by the employer, meeting the requirements set out in the Labor Code. In this case, the employee performing remote work is entitled to a cash equivalent in the amount agreed with the employer. The above-mentioned costs and the equivalent may be replaced by a fixed lump sum.

Processing employee personal data (or, personal data in general) in the cloud is a fairly new solution that has appeared on the global IT market. Although its popularity is growing every year, along with its growth, there are also more and more legal problems and threats to people using it. This is because the cloud functions beyond the control of its users, and third parties also have access to the data sent to it. Cloud computing is a tool that can be accessed by all people using the network, regardless of the latitude in which they operate. For users, this is a great convenience, allowing them to use technological facilities in every corner of the world where there is Internet access. However, from a legal point of view, cloud computing causes many problems, mainly in matters related to the scope of personal data protection.

Enterprises where employees only store files on company computers are putting themselves at risk. It happens that specialists leave overnight or are forced to go on long-term sick leave. If the data is encrypted, access to it may be very difficult or even impossible.

File encryption is a very common protection that allows you to ensure the confidentiality of stored information. In some cases, it is also an obligation imposed by law on the company. Unfortunately, in the absence of contact with the employee, the company will lose access to the data.

We encounter a similar situation when a company computer suffers a serious failure, e.g. one that causes the disk to be physically damaged. Placing files in the cloud will protect them from destruction and allow access to them by other employees or IT administrator.

An additional advantage is the fact that the company will avoid duplication of certain files and the formation of internal data silos.

A situation where each of the employees has their own data resources placed on a company computer drive is a simple way to create intra-company data silos.

The easiest way to explain this phenomenon is with an example – if a person working in the HR department creates his own spreadsheet with data on employment in the company, another sheet with such data will be created in accounting, and another one will be used by the marketing department for activities related to intra-company communication, we will have three sources of the same information, i.e. data silos. The list of employed employees changes very often.

Using only company-owned devices is burdened with one more, very big disadvantage. Modification of the IT infrastructure will require the purchase of equipment. Any investment that requires time from the company and reduces its ability to adapt to changes.