In Part I of this series we outlined some of the practical approaches to consider at the outset of a cloud arrangement. In this Part II we set out below 10 practical solutions to alleviate some structural, regulatory and contractual issues:

Exploring practical options with the cloud provider may be one approach to consider, rather than trying to force a cloud provider to agree to terms later in the negotiation process that it cannot agree to due to its policies and need to maintain conformity amongst its customers. The following are some suggestions:

  1. Limit Destination of Data:Agree to limit the transmission of sensitive data to (or access from) certain countries rather than using all of the cloud provider's facilities that may be located around the world. For example, there may be concerns over a particular country's privacy laws and whether they provide a 'comparable level' of protection as required by Canadian privacy law. Simply requiring that only certain data centres or sites come in contact with the data could remove a problem, and lessen the regulatory hurdles.
  2. Limit Data: Practically limit the type of data that is uploaded to the service and is subject to the cloud agreement. For example, in the human resources context there may be categories of compensation data or personal information that are highly sensitive that could be maintained separately from the cloud solution on the business's own systems.
  3. Reduce Functionality: Consider switching off certain functionality offered by the cloud solution that the business is unable to make work within the regulatory constraints. If the cloud provider agrees, this could lead to considerable simplification and enable the parties to reach resolution of outstanding issues; it may be as simple as a change to a user interface.
  4. Seek Internal Exceptions: Once you have conducted your due diligence and understand the detailed service provisions, consider, if required, if the business is able to seek specific exceptions to its existing standards and policies and obtain the necessary internal approvals. There may be scope for compromising on low level requirements.
  5. Consider Add-ons: Consider if there are add-on software applications that can circumvent particular issues, for example, through the use of identity authentication tools deliberately designed to interoperate with cloud solutions to give added security.
  6. Separate Amending Agreements:If faced with service level schedules and service descriptions that the cloud provider cannot amend, consider if you can agree to a separate amending agreement, or alternatively terms that cut across the provisions in the main legal agreement rather than making amendments in the attached schedules.
  7. Prepare to make Informed Compromises: If the business does not have the will nor the desire to negotiate certain changes, at least go through the implications of those terms with the internal client. A pre-informed client that is aware of the potential discrepancies, issues or limitations can manage the risks in a practical and informed manner.
  8. Collateral Agreements: Consider if collateral agreements can be used to circumvent certain contractual issues. For example, if you are not satisfied with the cloud provider flowing down contractual provisions to a sub-contractor data centre, can a separate privity agreement be used, or if there is a cross border data flow from Europe can European model contract provisions be used to supplement existing protections?
  9. Be Prepared to Negotiate: Experience has shown that towards the upper end of the risk/reliance spectrum with substantial cloud arrangements, cloud providers are open to common sense and practical suggestions to resolve structural, regulatory and contractual issues. Do not be afraid to negotiate.
  10. Consider Alternatives: Ultimately in the risk/reward context the business may need to be prepared to walk away and consider other options.

Matthew Wanford is co-leading a Pre-Forum Master Class entitled Compliant Cloud Computing for Financial Institutions for the Canadian Institute on September 19, 2012: http://canadianinstitute.com/privacy .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.