Insider Media Limited

With Apple due to launch iCloud at its annual developers’ conference in San Francisco next week, Michelle Craven, a director in the Commerce & Technology team at Nelsons, urges businesses to be aware of potential risks alongside the efficiencies offered by Cloud Computing services.

Cloud Computing is one of the most recent growth areas of IT and it is anticipated that it will continue to grow to reach revenues in the region of $150bn in the next two years. It is thought that most organisations rarely use more than 15 per cent of the computing power available on their desktop computers.

Using the “Cloud” could allow a business to pay just for that 15 per cent, whilst at the same time having access to almost unlimited resources for when they are needed.

This is all positive stuff but the “Cloud” also raises questions about reliability and risk. Whilst as an individual you may be prepared to put personal information about yourself on the web, businesses should think very carefully about the implications of passing over control of certain critical functions.

At the very least, if entering into a “Cloud” type arrangement, new agreements with their IT provider will be required and these will inevitably be more complex than the traditional service level agreements.

There is a risk that “Cloud” deals may not be as flexible as businesses would like. Businesses not only need to be sure that data put in the “Cloud” can be retrieved as quickly as possible, but they should also be asking the cloud provider how they can guarantee confidentiality, accessibility and how they intend to maintain the integrity of the data. Industry accreditations held by the provider should be scrutinised as well as whether or not they have a proven track record.

There is then also the spiky issue relating to data protection as the business will no longer be certain where its data is stored, a serious question when it comes to considering compliance with Data Protection law. The eighth data protection principle in the Data Protection Act of 1998 states that data controllers (the companies using the “Cloud” service) are not allowed to transfer personal data outside of the European Economic Area countries, unless the country to which the data is being transferred ‘ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data’.

The first option available to a data controller to ensure he or she complies with the Act while using Cloud Computing is to obtain the relevant person’s consent before sending their data into the “Cloud”. Another option would be to anonymise all the data which would mean that it is not personal data, but this is not always feasible. Neither of these solutions seem ideal. The third option would be to agree a contract with the Cloud provider which would include a set of model clauses which have been approved by the European Commission.

These model clauses, however, are complex and it is anticipated that if the business engaging the Cloud provider is a small organisation then the provider would just refuse to agree to them. As it stands, most Cloud providers are reluctant to agree to the stringent Data Protection Clauses and the contracts offered are offered very much on a “take it or leave it” basis.

There is a move to try and tackle the problem by the establishment of the Common Assurance Metric (CAM), an initiative to produce quantifiable standards that will enable Cloud providers to demonstrate that they have attained a particular standard. CAM was launched on Monday 7 February and is supported by key industry players such as Microsoft.

What it would mean for businesses contemplating entering into a “Cloud” arrangement is that rather than having to go through an in-depth investigation into each potential provider, the business would be able to see the CAM rating which is held by that provider. However, whilst CAM does have the potential to offer a certain level of reassurance, it will not resolve the problem of compliance with the Data Protection Act.

It may be that a change in Data Protection legislation is required and this does seem to have been acknowledged by the information commissioner. However, it must be recognised that legislation is always behind technology and cannot be implemented over night.

It is, therefore, an issue of risk and judgment that each business will have to take on board before moving to the “Cloud”. It is inevitable as time goes on that the level of services offered by the “Cloud” will increase, the costs will go down and generally businesses will find themselves getting more comfortable with the practice.

In the meantime, it is hoped that regulators and legislators alike, working with groups such as CAM, will catch up with technology and work out what is considered to be good practice on the Cloud.

Michelle Craven is a director in the commerce and technology team at Nelsons.