Tags


Latest Posts


Latest Comments


Authors

Are you operating a legal Cloud?

homepage-update.jpg

Posted by |

The UK Data Protection Act (DPA) is often heralded as the world’s leading light when it comes to laws protecting personal data. However with increasing adoption rates of cloud services UK organisations are putting themselves and their data at risk by breaching data protection laws. Today I would like to take a look at how adopting a cloud service can have significant impact on your DPA compliance.

Back in 1998 when the DPA was passed it was seen as the definitive way to ensure personal data was protected. The following decade saw refinements to the law to ensure that online personal data was also secure.  This worked well when data was held on-premise within the data centre, but thanks to cloud technologies the landscape has now drastically changed.

If you were to ask many cloud service providers (CSPs) where a specific piece of data is held, I would wager that it would take them a while to answer. This is because the cloud doesn’t recognise national boundaries. Data is moved around at will by many CSPs across a globally dispersed infrastructure, meaning your data could be visiting more countries than a gap year student! Joking aside, this can have serious consequences. If an IT director doesn’t know where his or her data is, it’s possible that they may not be DPA compliant.

When data is streamed and stored across various territories, it also runs the risk of falling foul of other countries’ legislation.  Take the US Patriot Act, for example. Introduced post 9/11, the Act actively permits the US government to access and examine any data held by a US company, regardless of its location. It’s activity like this that has led to the storm over ‘NSA snooping’ and this puts UK and US data protection regulations in direct conflict.

Location of data must be seen as a real concern for organisations, especially when you take into account  that for some companies US Patriot Act takes precedence over the UK DPA.

This not only causes problems for UK companies using cloud services located in the US, it also affects the data of US companies operating outside of its borders, as they are still governed by the Patriot Act. This equates to some of the world’s largest CSPs including Microsoft, Google and Amazon, any one of which could be instructed to pass on your data to the US government.

A survey by the Information Commissioner’s Office (ICO), responsible for enforcing the DPA uncovered that one in four companies was still unaware of the need to comply with DPA. A major concern is that when it comes to the cloud, a lot of organisations believe data protection is the responsibility of the CSP, or even worse, that the cloud can be used as an escape option from data protection. This apathy is seen across the board. As a cloud service provider, we are very rarely asked by prospective customers to ensure that data is held within the UK. The DPA is just not a consideration when investing in the cloud, an oversight that could come back to haunt many.

It should be noted, that blame doesn’t just lie with the organisations using and supplying cloud services. The DPA needs updating to incorporate new technologies and how they are being used. A simple solution would be the introduction of a series of compliance standards, comparable to ISO 9000. The checklist would provide companies with a way to effectively measure themselves as part of any risk assessment or business continuity plan. We’ve seen how well they work for quality management, so now it’s time to apply the same theory to the question of data protection.

Until the law catches up with the current pace of change, I believe it is time for UK organisations to start viewing data protection and location as a major priority when adopting new cloud based solutions.

At Redcentric we already understand the importance of operating a legal cloud. We run our cloud technologies from five UK based data centres, ensuring that they meet and comply with current data protection regulation.

Comments

 

Post a comment

Comment submitted! Comments needs approval before being displayed.