The Cloud Industry Forum (CIF) has largely welcomed the Working Party’s Article 29 of Directive 95/46/EC Opinion on Cloud Computing, suggesting that it represents a valuable step towards transparency, accountability and credibility for the industry.
In its Opinion, the Working Party provides practical advice on how to avoid falling foul of data protection legislation, examining a list of 14 issues that end users and CSPs should address in Cloud service contracts by way of best practice, broadly addressing two common issues: the need for control over personal data and the current lack of information with regard to how, where and by whom the data is being processed/sub-processed.
Andy Burton, CEO of Fasthosts and Chairman of CIF, commented “The need for standards and regulation in the industry is self-evident. As with all new markets, there are entrants who are credible, well-intentioned, capable and professional and there are also unfortunately those that are looking to make a quick profit and whose public claims will not pass the test of scrutiny, and whose impact can be damaging to the market. It’s encouraging to see that the Working Party is taking steps to highlight and address these issues.
“The Working Party’s Opinion has highlighted a number of issues which CIF has been keen to see addressed. Indeed many of these are already touched on in the self-certification requirements for the CIF Code of Practice as well as its guide to best practice on Contracting Cloud Services.”
A key conclusion of the Working Party is that entities wishing to use Cloud computing should, as a first step, conduct “a comprehensive and thorough risk analysis”. In addition, clients should only appoint cloud computing provider” that guarantee compliance with EU data protection legislation”.
Burton continued: “In validation of the CIF Code of Practice, the Opinion highlights the role that independent verification and certification by a reputable third party can play by providing Cloud Service Providers (CSPs) with the means to demonstrate their compliance with good practice in terms of transparency, capability and accountability.
The only slight area of concern being raised by CIF at this time is in regard to the manner in which any future obligations may evolve for CSP’s regarding controls for processing data and associated logging and audits so as to ensure a level playing field in practice for the professional service providers who make the required investment and commitment. In Burton’s opinion “It has to be both workable and enforceable in order to achieve the desired outcome of trusted CSP’s and good governance for Data Controllers.”
“Arguably the biggest change that Cloud computing brings is not new technology but the ability to procure IT-as-a-Service rather than as an asset. In the case of Cloud, the contract between provider and customer is fundamental to a successful deployment. Until standards of transparency, accountability and capability are mandated industry wide, CIF calls on end users to assume and maintain ultimate responsibility for decisions they make in terms of adopting Cloud Services, and to look towards recognised industry bodies for guidance and advice,” he concluded.