The UK Data Protection Act
In the UK, the Information Commissioner's Office (ICO), which has the ability to levy half a million pounds in fines for companies that contravene the Data Protection Act, has recently turned its attention to the cloud. In November 2012, it published guidance outlining the responsibilities for companies storing their customers' data in cloud environments.
The guidelines assign responsibility for data security unequivocally to the company that owns the data, rather than the company taking care of it. Any organisation with customer data processed by a cloud service provider that has a data breach may want to blame the third party, but the ICO has made it clear that the owner of the data is responsible.
The ICO offers data controllers several key pieces of advice to stay within the confines of the Data Protection Act. They must:
- Consider which data to move to the cloud, and assess the risks.
- Monitor the service provider's performance, and keep customers informed about their use of cloud services.
- Ensure that data is protected using the technical and organisational measures necessary
- Select the right cloud service provider, sealing agreements over security with a written contract.
Security Begins with Cloud Encryption & Key Management
Data controllers must ensure that their own systems are secure. In Paragraph 63 of its guidance, the ICO singles out encryption as a useful tool in protecting the personal data in the cloud, even when it is being processed by a third party. By clearly specifying the use of encryption to keep sensitive data private and safe, the ICO is helping businesses and governments address the demands of complying with the UK Data Protection Act. The ICO explicitly calls out its ability to levy fines and recent penalties as a clear warning that it will penalise organisations not meeting their data privacy responsibilities. CipherCloud's groundbreaking cloud encryption gateway is making it easy for UK and European organisations to meet their data privacy and regulatory obligations in the cloud.