Post-Snowden, there has been growing concern about data security and privacy. Most organisations feel more comfortable if they have absolute control over their data even if, in reality, it’s less secure. However, the cloud market continues to evolve rapidly, with many providers offering highly secure services, some with the data being held locally (for example in the UK). The most recent iteration of the G-Cloud Framework, G-Cloud 6, is the first to use the Government’s 14 cloud security principles to enable buyers to assess the security of suppliers’ services, which has helped to allay any undue reservations when it comes to the security implications of moving to the cloud.
Our recent report, ‘How Safe is Your Data?’ highlights the five main points that will help organisations to navigate and understand data security and privacy issues.
1. Breaching the Data Security Protection Act (DPA)
Organisations need to be confident that their supplier is providing adequate legal protection for their customers’ sensitive personal data or they may risk legal action. Data controllers must put prewritten contracts in place with their data processors, setting out what that data processor may or may not do with the personal data entrusted to them, including the specific security measures that should be taken to safeguard the data.
As an example, G-Cloud suppliers must not pass the data that an organisation controls to third parties, including sub-contractors, without that organisation’s written consent. Doing so would be a breach of the DPA leading to fines of up to £500,000, criminal proceedings and significant reputational damage.
2. Responsibility for validating suppliers’ security statements
With the introduction of the Government Security Classification Policy (GSCP), the former CESG Pan Government Accreditation service cannot be relied on to validate whether a supplier’s IT systems will properly protect an organisation’s data. It’s now up to the organisation to make that assessment.
Buyers should look for suppliers who use security-accredited personnel for data processing activities, are UK-registered companies that keep data within the UK only and who process data according to the DPA and the lawful instructions of the data controller.
3. Safe Harbor isn’t safe
In the wake of Edward Snowden’s PRISM revelations, the voluntary EU-US agreement, protecting EU data from the US Patriot Act is now irrelevant. Legislation such as FISA (Foreign Intelligence Surveillance Act) allows the US Government the right to force a US company such as Microsoft to hand over customer emails which reside on Microsoft servers in Ireland, without informing affected customers.
A supplier who is registered in the UK, is not a subsidiary of an overseas company, has physical premises in the UK and will keep the data in the UK, will provide the strongest protection against PRISM, FISA or any foreign government legislations.
4. Data disclosure is a global issue
Between January and June 2014 Microsoft received more than 34,000 law enforcement requests from 68 countries, relating to more than 58,000 accounts. They released at least some data in response to over 75% of these requests. As an enterprise, it’s important to know the geographical location in which the supplier will store and process data.
5. Growing trend to keep data sovereign
Our own recent research found that over 80% of the peers and almost 100% of the MPs we surveyed agreed that the UK provides adequate protection for processing public sector data, while the majority viewed off shoring as the greatest obstacle to cloud adoption. More than half of MPs polled also agreed that UK public sector data should be securely processed in the UK.
The European General Data Protection Regulation (GDPR) which becomes law in 2017 and will replace the UK DPA, aims to harmonise European data protection and make Europe a safe place to store data by placing more emphasis on individual rights and increasing transparency.
As more organisations transition to the cloud, the need to protect sensitive citizen data from not only hackers, but foreign governments is a must. Organisations interested in transitioning data to the cloud or hiring a supplier to store customer data need to factor in data protection legislation both at home and overseas, as well as understanding the geographical location in which the data will be stored. Keeping data securely located in an organisation’s home country, entrusted to a supplier from the same nation which is tasked with keeping data sovereign, is the best way to mitigate data security and privacy issues.
About the author
John Godwin, Head of Compliance and Information Assurance at Skyscape Cloud Services has more than 20 years’ experience in the implementation and operation of ISO Management Systems.
John is a Lead Auditor, Member of Business Continuity Institute (MBCI), Member of the Institute of IT Service Management (MISM), on the TechUK Cyber Security Group Committee and holds the Professional Credential from the Global priSM Institute (PSM).