Cloud computing did not exist when data protection regulations came in. John Roberts of Redstone explains how to keep within the law
The UK Data Protection Act (DPA) is often regarded as the world’s leading law on protecting personal data. But many UK companies now adopting cloud services are not only putting data at risk, but also themselves, by breaching data protection laws. How do you comply with the DPA, whilst maintaining a cloud presence?
When the UK government passed the DPA in 1998 it was heralded as the definitive way to guarantee personal data was protected. Over the following decade, refinements to the act ensured that personal data was not just secure, but more specifically, it was secure online. This worked well when data was held on-premise, within a company’s own data centre, but the advent of cloud technology has changed all that.
What do we mean by cloud?
Just to be clear, in this context we’re referring to ‘cloud’ as infrastructure as a service. Ask many cloud service providers (CSPs) where a specific piece of data is held, and it would take them a while to answer. In most instances the cloud does not recognise national boundaries. CSPs simply move data across their often globally dispersed infrastructure at will in the most efficient way for them. This means that the IT director no longer knows where his or her data is, nor are they able to comply with the DPA.
With data being streamed and stored across national territories, it also runs the risk of falling foul of other countries’ legislation. When George W Bush signed the US Patriot Act into law in 2001 following 9/11, no one could have predicted the data protection conflict that would occur between the UK and US as a result. The two acts lie in direct opposition of each other.
The UK DPA prohibits organisations passing personal data on to another party, yet, the US Patriot Act expressly permits the US government to access and examine any data – personal or otherwise – that’s held by a US company.
Security has long been a real concern for IT directors considering cloud infrastructures but previous anxieties have focused on data loss rather than location – a legal requirement enforceable under the DPA. Location of data has to become a priority, considering the words of Microsoft UK MD Gordon Frazer this summer who admitted that the US Patriot Act took precedence over the DPA. Not only does this mean trouble for UK companies using cloud services where data is stored in the US, it also means that the data of US companies operating outside of its borders are also subject to this priority, affecting some of the world’s largest CSPs – from Microsoft and Salesforce, to Google and Amazon.
The EU, UK and other nations are debating the issue. The EU has negotiated a safe harbour agreement with the US to protect data. However, since most CSPs are unable to assure customers where data is located, the bigger question has to be: just whose responsibility is data storage when operating in the cloud?
The Information Commissioner’s Office (ICO) is responsible for enforcing the DPA, and its latest annual tracking survey found that one in four companies are still unaware of the need to comply with the DPA. While many companies may plead ignorance, we’ve found a more concerning trend. When it comes to the cloud many data owners believe data protection responsibility lies with the CSP, or more worryingly, are simply using the cloud as a way to abdicate responsibility for storing and protecting their data.
This company apathy to data protection is widespread. We know this from experience. Rarely are we asked by prospective customers to ensure that data held within our cloud service is stored in the UK – compliance is simply not considered an issue when buying cloud services.
With power comes responsibility
Many cloud services are problematic because they provide a generic, one-size fits all solution. Yet as cloud services have evolved, alongside customer needs, more tailored solutions have appeared, including UK-specific, DPA (and PCI) compliant services. With these services ‘control’, a concern cited by many IT directors when considering cloud services initially, has been given back to the IT department. With that control, however comes the responsibility for data protection.
The other failure occurs with the law itself. While the DPA provides stipulated requirements for the protection of data, it is enforced retrospectively not proactively. That means that companies are only prosecuted once a breach has occurred. The ICO has no power to audit private sector companies’ compliance to ensure that a data breach doesn’t occur in the first place.
Having no audit control over the private sector makes it impossible to proactively regulate and enforce the DPA. It’s generally accepted that the private sector generates the most data protection complaints. As a result, the information commissioner Christopher Graham, recently called for compulsory audit powers for the private sector. Data audits need to become a requirement within the financial and legal audit processes if companies are to be held accountable for data protection.
We think that the solution may be simpler. What the industry (and companies operating in the cloud) needs to assist in compliance is a series of DPA standards. Comparable to ISO 9000, a simple checklist of standards would provide companies with a way to effectively measure themselves as part of any risk assessment or business continuity plan. We’ve seen how well they work for quality management, so now it’s time to apply the same theory to the question of data protection.
John Roberts is head of managed services at Redstone.