Experts have warned organisations looking to move to the cloud not to rely solely on information published by service providers to ensure they remain within UK data protection laws. This follows advice from the Information Commissioner’s Office (ICO), published on Out-Law.com, that cloud users cannot rely on external certification.
Richard Pharro, CEO of accreditation body APM Group, told Cloud Pro: “The ICO is right to advise caution on the half of end users when transitioning to the cloud. Although certification schemes are of key importance to the market today, they are no panacea. Cloud users will still need to exercise caution and do their due diligence – in heavily regulated industries this may involve seeking legal advice to ensure that they are compliant.”
Frank Jennings, partner at DMH Stallard, said: “The Act places the primary duty of compliance and protection of personal data on the "data controller" - that is, the business looking to use the cloud service to process and store this data.
Schemes which promote the protection of personal data -- including those through [the Cloud Security Alliance]'s STAR initiative or compliance with Cloud Industry Forum's Code of Practice -- are beneficial to the industry. However, this doesn't switch responsibility onto the service provider,” he said.
While broadly agreeing with the points made by Pharro and Jennings, Conor Ward, partner at Hogan Lovells and chair of the Cloud Industry Legal Forum was keen to emphasise that industry level certification are still useful: “It should also be pointed out that the area of standards and certification is in the course of developing and developing rapidly. The Commission has recognised the value of certification schemes in the draft Data Protection Regulation published in January this year.
“Under the current proposals, the Commission would be granted the power to specify the criteria and requirements for the data protection certification mechanisms but it is likely that organisations such as CIF and other reputable certification bodies will be instrumental in defining the criteria and requirements based on work they have done (and will continue to do) to define best practice."
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Data sovereignty a growing priority for UK enterprisesNews Many firms view data sovereignty as simply a compliance issue
-
Elevating compliance standards for MSPs in 2025Industry Insights The security landscape is set to change significantly in the years to come with new regulations coming into effect next year, here's how the channel needs to adapt
-
How ready is your company for NIS2?Supported Content The EU’s latest cybersecurity legislation raises the stakes for enterprises and IT leaders - and ensuring compliance can be a daunting task
-
Top data security trendsWhitepaper Must-have tools for your data security toolkit
-
Conquering technology risk in bankingWhitepaper Five ways leaders can transform technology risk into advantage
-
Advancing your risk management maturityWhitepaper A roadmap to effective governance and increase resilience
-
When banking works, the world worksWhitepaper Five ways automated processes can drive revenue and growth across your bank
-
Automating digital resiliency in bankingWhitepaper Prioritize investment in solutions that mitigate a lack of digital resiliency when disruptions strike
