Certification is no replacement for due diligence, say experts
Comments by the ICO highlight need for research when moving to the cloud
Experts have warned organisations looking to move to the cloud not to rely solely on information published by service providers to ensure they remain within UK data protection laws. This follows advice from the Information Commissioner’s Office (ICO), published on Out-Law.com, that cloud users cannot rely on external certification.
Richard Pharro, CEO of accreditation body APM Group, told Cloud Pro: “The ICO is right to advise caution on the half of end users when transitioning to the cloud. Although certification schemes are of key importance to the market today, they are no panacea. Cloud users will still need to exercise caution and do their due diligence – in heavily regulated industries this may involve seeking legal advice to ensure that they are compliant.”
Frank Jennings, partner at DMH Stallard, said: “The Act places the primary duty of compliance and protection of personal data on the "data controller" - that is, the business looking to use the cloud service to process and store this data.
Schemes which promote the protection of personal data -- including those through [the Cloud Security Alliance]'s STAR initiative or compliance with Cloud Industry Forum's Code of Practice -- are beneficial to the industry. However, this doesn't switch responsibility onto the service provider,” he said.
While broadly agreeing with the points made by Pharro and Jennings, Conor Ward, partner at Hogan Lovells and chair of the Cloud Industry Legal Forum was keen to emphasise that industry level certification are still useful: “It should also be pointed out that the area of standards and certification is in the course of developing and developing rapidly. The Commission has recognised the value of certification schemes in the draft Data Protection Regulation published in January this year.
“Under the current proposals, the Commission would be granted the power to specify the criteria and requirements for the data protection certification mechanisms but it is likely that organisations such as CIF and other reputable certification bodies will be instrumental in defining the criteria and requirements based on work they have done (and will continue to do) to define best practice."
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.