The UK Data Protection Act (DPA) is often regarded as the world’s leading law on protecting personal data. But many UK companies now adopting cloud services are not only putting data at risk, but also themselves, by breaching data protection laws. How do you comply with the DPA, whilst maintaining a cloud presence?
When the UK government passed the DPA in 1998 it was heralded as the definitive way to guarantee personal data was protected. Over the following decade, refinements to the act ensured that personal data was not just secure, but more specifically, it was secure online. This worked well when data was held on-premise, within a company’s own data centre, but the advent of cloud technology has changed all that.
With data being streamed and stored across national territories, it also runs the risk of falling foul of other countries’ legislation. When George W Bush signed the US Patriot Act into law in 2001 following 9/11, no one could have predicted the data protection conflict that would occur between the UK and US as a result. The two acts lie in direct opposition of each other.
The UK DPA prohibits organisations passing personal data on to another party, yet, the US Patriot Act expressly permits the US government to access and examine any data – personal or otherwise – that’s held by a US company.
Security has long been a real concern for IT directors considering cloud infrastructures but previous anxieties have focused on data loss rather than location – a legal requirement enforceable under the DPA. Location of data has to become a priority, considering the words of Microsoft UK MD Gordon Frazer this summer who admitted that the US Patriot Act took precedence over the DPA. Not only does this mean trouble for UK companies using cloud services where data is stored in the US, it also means that the data of US companies operating outside of its borders are also subject to this priority, affecting some of the world’s largest CSPs – from Microsoft and Salesforce, to Google and Amazon.
The EU, UK and other nations are debating the issue. The EU has negotiated a safe harbour agreement with the US to protect data. However, since most CSPs are unable to assure customers where data is located, the bigger question has to be: just whose responsibility is data storage when operating in the cloud?
The Information Commissioner’s Office (ICO) is responsible for enforcing the DPA, and its latest annual tracking survey found that one in four companies are still unaware of the need to comply with the DPA. While many companies may plead ignorance, we’ve found a more concerning trend. When it comes to the cloud many data owners believe data protection responsibility lies with the CSP, or more worryingly, are simply using the cloud as a way to abdicate responsibility for storing and protecting their data.
This company apathy to data protection is widespread. We know this from experience. Rarely are we asked by prospective customers to ensure that data held within our cloud service is stored in the UK – compliance is simply not considered an issue when buying cloud services.
Many cloud services are problematic because they provide a generic, one-size fits all solution. Yet as cloud services have evolved, alongside customer needs, more tailored solutions have appeared, including UK-specific, DPA (and PCI) compliant services. With these services ‘control’, a concern cited by many IT directors when considering cloud services initially, has been given back to the IT department. With that control, however comes the responsibility for data protection.
The other failure occurs with the law itself. While the DPA provides stipulated requirements for the protection of data, it is enforced retrospectively not proactively. That means that companies are only prosecuted once a breach has occurred. The ICO has no power to audit private sector companies’ compliance to ensure that a data breach doesn’t occur in the first place.
Having no audit control over the private sector makes it impossible to proactively regulate and enforce the DPA. It’s generally accepted that the private sector generates the most data protection complaints. As a result, the information commissioner Christopher Graham, recently called for compulsory audit powers for the private sector. Data audits need to become a requirement within the financial and legal audit processes if companies are to be held accountable for data protection.
We think that the solution may be simpler. What the industry (and companies operating in the cloud) needs to assist in compliance is a series of DPA standards. Comparable to ISO 9000, a simple checklist of standards would provide companies with a way to effectively measure themselves as part of any risk assessment or business continuity plan. We’ve seen how well they work for quality management, so now it’s time to apply the same theory to the question of data protection.
John Roberts is head of managed services at Redstone.
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…
View Comments
Excellent article John, we'll definitely be pointing potential clients and potential Reseller Partners at it (via a link from our blog) so they can get a good grasp of what it all means.
We speak to so many potential resellers of our UK-based cloud services who are currently reselling the likes of Microsoft 365 and Google Apps who think that they are avoiding issues with the US Patriot Act just because they are using the UK/European-arm/datacentre of a US-owned company... it's hard trying to convince them otherwise.
We're always trying to educate potential clients to think long and hard about where their data is and who effectively owns it, and advise them to choose a provider that promises to keep their data within the UK and whose Terms of Business state that their data remains theirs.
Will be linking to your blog soon.
Cheers,
Ryan Hughes
Quest Cloud Solution Ltd