Are cloud vendors prepared for the impact of this year's EU data regulations?

The EU General Data Protection Regulation will be introduced in 2015
The EU General Data Protection Regulation will be introduced in 2015

There is little doubt that the cloud will play an increasingly important role as more and more organisations adopt cloud-based strategies to underpin their IT infrastructures. Indeed, cloud hosting offers a wide variety of advantages to companies with the expertise to take advantage of it. Applications can be rolled out faster, resources can be rented rather than purchased and infrastructure can be right-sized to support monthly and seasonal peaks.

However, a global survey commissioned by iland last year, and undertaken by analyst firm Enterprise Management Associates (EMA), highlighted that there are also plenty of challenges when moving to a new cloud-based infrastructure. In fact, 91% of those surveyed experienced at least one unexpected challenge when moving to the cloud with pricing, performance, scalability and location all topping the list of issues.

The EMA research revealed that most organisations won't adopt a single vendor for their cloud requirements but will work with multiple vendors to best meet their IT, security and compliance needs.

One of the reasons behind this relates to data sovereignty, as most organisations consider the guaranteed location of their workloads of paramount importance, as this can impact the laws that govern the application, the data and ultimately the company. Most organisations going down the cloud route will therefore seek to control the movement of their IT footprint in accordance with conscious choices regarding data sovereignty.

Organisations should choose a vendor that can guarantee the location of its IT workload, with proximity being a key factor in this decision. However, the flipside is that this leaves little protection against local natural disasters or territory-related data breaches. If you have your data safely located elsewhere, for example, your failover data centre is located far from home, this does provide an additional layer of security. Many organisations, however, won't consider this as a viable option due to data sovereignty and compliance to local regulation and laws.

This is particularly important for EMEA companies as the EU Data Protection Directive adopted in 1995 is set to be replaced with new legislation known as The EU General Data Protection Regulation. This is expected to be introduced some time in 2015. I question how much impact this new legislation will have and wonder how prepared many of the existing and up-and-coming cloud providers are for this new regulation.

In particular data collection, retention and breaches are areas that the EU plans to tighten up on with the new regulations. Here are a few aspects that we've gleaned which are of particular importance.

Data collection

Two significant new rulings around the collection of data are:

1. EU users must acknowledge that they are aware they are submitting personal data.

2. Data portability is still to be worked out, but when it is, there will be massive fines for leaking data across countries. Fines for non-compliance are already in place and can be up to 2% of the annual global sales of the company.

Data retention

Data retention is currently under review in the EU. In April 2014, the Court of Justice of the European Union declared the Data Retention Directive invalid. The Directive had ordered European states to pass laws that obliged certain internet organisations to log records of their users' activity, keeping them for up to two years and providing police and security services access to them. The court decided that the Directive was not proportionate and did not go far enough in protecting the fundamental rights to privacy and the protection of personal data.

However, the court did recognise that data protection under specific conditions does serve a legitimate interest to the general public, namely the fight against serious crime and the protection of public security. So although the Directive was declared invalid, rest assured companies will not have a free rein to do what they want.

Data breaches

Data handling and protection is a major concern. Failure to meet regulations can mean expensive fines for cloud providers, wherever they are located. If a breach occurs the cloud provider is required to contact the EU regulatory body. Failure to do so means additional sanctions can be levied. If the breach occurred because adherence to proper data protection was not performed the cloud provider can expect to pay a sanction which, again, could be up to 2% of the annual global sales of the company.

As a cloud provider, we can assure our customers that we meet the current EU data protection requirements. Moreover, we are monitoring and working diligently to ensure we remain fully compliant when the new EU rules change later this year, and as they continue to advance to account for changing technology. It will be interesting to see what evolves as the topic gains more attention among other vendors as well as EU and global companies.

  • Johnny Carpenter is EMEA director at iland