A survey by Opinion Matters for CipherCloud questioned more than 300 senior IT professionals; and discovered a surprising lack of awareness of the ICO guidelines. 40% of the professionals surveyed admit that they are unaware of the guidelines, while less than 27% claim to be both aware and compliant.
The Data Protection Act makes it clear that responsibility for data protection rests with the data owner (the company) and not the cloud provider. This means that it is up to the company to ensure security wherever cloud services are used – whether that’s web-based email, applications such as Google Drive, or third-party storage and transfer systems such as Dropbox. The implication, suggests CipherCloud, is that a security policy that covers all cloud services rather than piecemeal solutions for different services is what is required; but that very few companies are yet achieving this.
One possible route is universal cloud encryption. “Encryption,” notes the ICO, “allows a cloud customer to ensure that the personal data they are responsible for can only be accessed by authorized parties who have the correct ‘key’.” Successful data encryption implies compliance with the Data Protection Act, wherever the data is stored. But the difficulty with encryption is finding a system that encrypts the content, protects the key, and still ensures that cloud-stored data is accessible and searchable when necessary.
But however compliance is achieved, failure can be expensive. “UK IT professionals need be aware of the fact that regulatory non-compliance penalties could be as much as half a million pounds," warns Richard Olver, regional director of EMEA at CipherCloud.
That maximum fine for small companies could actually decrease if the EC Data Protection Regulation gets adopted and future fines are based on annual turnover – but for larger companies it could be considerably higher. "It’s clear that businesses are confused or even complacent about regulation, legislation, and compliance when storing data in the cloud and are largely unaware of their responsibilities,” adds Olver. That lack of awareness could prove very costly.