Data Protection Law
Technology Untangled – Hewlett Packard Enterprise Podcasts
Join us on a 39-minute journey with Michael Bird, untangling innovation through a series of interviews and stories. In this episode, Neil Williamson joins the conversation.
In a special episode hosted by Michael Bird, the director and founder of EM Law, Neil Williamson, gives us an insight into the challenges of being compliant in the cloud from a data protection perspective.
Press play below to find out more about the cloud, and if you’d like to follow along, keep scrolling to read the transcript as you listen on. Neil appears on the podcast at 27 minutes, 28 seconds. He appears on the transcript on page 9 as speaker 6.
Each speaker highlights the risks associated with the global transition to the cloud. We all used to live in a world where every office would have its own or pooled server in the basement. Cloud computing has largely eliminated this inefficient and expensive requirement, but with the convenience many have lost sight of the risks.
One of the interviewees, HPE’s Adrian Lovell, hypothesises a situation where a majority of the UK’s banking infrastructure is utilising one provider’s cloud services. The provider fails, and the UK’s financial services industry “just turns off”. According to Adrian: “we are looking at a situation of basically financial meltdown that makes the 2008 crisis look like you just dropped your pocket money.” These risks are real. Adrian alludes to the temporary outages of Fastly and Cloudflare that took out websites such as Amazon, CNN, and various high profile cryptocurrency exchanges for a brief period.
The discussion highlights the issues around not relying on the cloud. The costs of running in-house data centres in the data intense modern world are extremely high. Some organisations go for a ‘half-in-half out’ model. But that approach is to lose the full benefits of both the cloud and physical in-house data centre way of operating IT. Moreover, the technology continues to expand and most businesses, both customers and providers, now rely on the cloud. It’s too far to go back now.
So where does that leave cloud services? How to we address these challenges? The first port of call, naturally, is regulation. US, UK, and EU regulators and moving in a more restrictive direction. But there is a fear that over-regulation may slow down the West’s struggling economies even more. Top-down regulation is one thing, however, and governments have different tools in their regulatory arsenal.
Neil explains that, in most circumstances the cloud is provided to customers with a legal underpinning of what is known as a Software as a Service (SaaS) – where there is no hardware – just an internet connection between the provider’s systems and the customer’s. Short of preventing this connection altogether, what is a way to ensure that data is protected and both provider and customer have ‘skin in the game’ to prevent anything from going wrong?
One of the most relevant answers is the well known legislation GDPR/UK GDPR. A customer is going to be the controller of all personal data (names, email addresses, identification documents) provided by the customer to the cloud provider. The customer has its obligations to its data subjects, the provider (the processor) has obligations to the customer to keep that data safe in turn. This goes a long way to encourage safe data practices to prevent meltdowns and data losses from occurring. Neil highlights the need to have strong contracts in place to really amplify what measures companies can take to keep control of the data they process when using cloud services.
If you’d like to discuss this further with a data protection lawyer, or need help more generally with data protection, contact us here.