#DSCloud16: Firms must get compliant or face the consequences
3 June 2016 |
While the cloud can offer businesses great benefits, they need to get things right when it comes to choosing the right supplier to ensure their data is stored securely and in compliance with regulations, or they could face large fines from regulators.
To achieve this, they must not only audit any provider they work with, but they also need to take extra care to ensure that their policies and security measures meet the right standards, an expert has told Business Reporter ahead of Data Security in the Cloud 2016.
“I think this is something that is critical for every company right now,” says Rocio de la Cruz, a privacy and data protection solicitor at Birmingham City Council. “It helps you minimise risk and avoid data breaches, and those parties that have done this so far are very happy that they did it because it has reduced a lot of risk.”
While the current maximum fine for UK companies that mishandle data sits at £500,000, the European Union’s General Data Protection Regulation will increase that limit to €20 million (£15.5 million) or four per cent of a firm’s worldwide annual turnover, whichever is greater. The legislation’s two-year transitional period has already begun, and firms will want to make sure they are fully compliant before it takes full effect.
“We have a lot of things to do within these two years,” de la Cruz says.
Although the regulations can appear complex, there is plenty of guidance available for firms that want to make sure they are compliant, including some from the government itself and advice from the Information Commissioner’s Office on the use of cloud computing.
“What we are doing in order to minimise risk in our contracts is paying attention to the cloud security guidance from the CESG, from the UK government,” de la Cruz says. “They issue very useful guidance, and we use a list of 14 principles. We can use them to assess what is the proper cloud that we can use when they are processing your personal data.”
But she adds that from her perspective many firms still need to carry out these kinds of audits and make sure they are compliant before it is too late.
“From my experience, it is something they need to work on,” de la Cruz says. “A lot of companies think they are fully compliant with the Data Protection Act when they are not. They have got databases and they think about moving this data to the cloud and they do not review these policies and security measures within the cloud.
“Some companies are more progressed in this, but not all of them. The majority are outdated and need to change this. You have to check all the policies and security measures are in place, make sure you are ready to share that data, and audit the other party.”
It sounds like a tall order for companies in the face of such large potential fines, but according to de la Cruz clear guidance and a good plan can go a long way.
“If you know how to do it, you can make it easy,” she says.
See Rocio de la Cruz speak alongside other industry experts at Data Security in the Cloud 2016, which takes place this month in London.