One of the hottest topics I get asked about when talking to customers at the moment is the cloud, specifically privacy and data protection issues.
Cloud is undoubtedly now mainstream for many enterprises. Research shows the use of cloud applications by European organisations has grown by 61 per cent in the last year and that European businesses are now deploying an average of one new cloud service a day.
The cost benefits of moving from a CAPEX to an OPEX model of IT delivery that avoids the expense of hardware expenditure and maintenance are obvious but the cloud is increasingly about much more than just the bottom line.
In a study by analyst Gartner those in CIO and IT director roles cited a modern approach, innovation and operational agility as the top drivers of cloud adoption. Business advantage also scored highly. And as many organisations start to embrace digital transformation the cloud is also vital in enabling the fast testing and deployment of services and the ability to scale up and down quickly according to demand.
To fully realise all these benefits, however, businesses must also take extremely seriously the issue of privacy and data protection. We have all seen the often catastrophic consequences of the big high profile data breaches in the past year and here in Europe the data protection laws are likely to get much tougher if current proposals are passed, with penalties of up to €100m for organisations that fail to adequately protect the personal information of European citizens.
One of the questions I get asked often by customers is ‘how can I be sure my cloud provider has adequate protection and security for my data?’. The key thing for organisations to look for here is that the provider has relevant industry standard security certifications for its datacentres. The main one is ISO/ICE 27001, which covers information security management and lays out requirements for ensuring security best practice through an information security management system.
The other main question when it comes to the cloud, especially for European businesses, is a legal one about data protection, cross-border transfers and where the data physically resides. The worry for some is that many of the big cloud providers are US companies and that could mean customer data being hosted outside of Europe and potentially accessible by authorities in the US, bringing them into conflict with their own national and European data protection laws.
But that isn’t a deal breaker. When dealing with US cloud service providers, European businesses should look for vendors that are certified under the EU and Swiss Safe Harbour agreement (the Swiss one actually predates the European one). European data protection rules prevent organisations sending the personal data of European citizens outside of the region unless adequate protection has been put in place or the destination country has been approved as meeting the same standards as Europe. The US doesn’t meet these standards and so the Safe Harbour agreement enables US vendors to self-certify that they are compliant with the seven principles of the EU data protection regime. This then allows them to transfer personal data from the EU to the US without bringing customers into conflict with EU laws.
Even then some European countries require further assurances. Germany has some of the toughest data protection laws in Europe and in addition to a more formalised Safe Harbour agreement, it requires the data controller of a company to physically inspect the datacentre facilities of the cloud vendor where the personal data of German citizens will be hosted.
A recent report by the EC shows the total value of the cloud market for the EU is forecast to grow from €9.5bn (and less than three per cent of overall IT budgets) in 2013 to €44.8bn (and 10 per cent of overall IT budgets) by 2020. Privacy and security concerns should not be a barrier to this growing adoption of cloud services.
To that end the regulatory framework is likely to become increasingly more fit for purpose for the digital era and the European Commission has proposed a new code of conduct on data protection for cloud service providers aimed at helping cloud buyers assess whether a provider is compliant with EU data protection rules and helping cloud providers demonstrate they are compliant.