If you haven't already heard, Safe Harbour, the 15-year-old framework which allowed businesses to transfer personal data from inside the European Economic Area (EEA) to other areas of the world, under questionable security guidelines, has been removed. Industry watchers will already know this, of course, but what is more difficult to grasp is what it actually means in the real world. What do businesses need to do to ensure they comply with the revised laws that are being discussed in its wake?
The self-regulation aspect of the Safe Harbour arrangement meant that whilst there was a framework in place, there was very little monitoring behind it. It was more of a tick-box exercise and incredibly weak from a technological perspective - just enough to keep the American tech giants on side and allow ease of use of their services.
Now that shortcut has gone and I believe that is a good thing. The Data Protection Act is there for a very good reason; the protection of EU citizens' personal data. This data ought to be protected to the same level when it is outside of the EEA, and companies have a duty to ensure that their clients' personal and sensitive data is properly protected. This week, Talk Talk is still caught up in the thorny issues around protection of sensitive data. The impact on individuals and companies can be huge - from financial loss to redundancies and irreparable reputation damage. I hope they can get through it.
There is a brand new data protection bill being looked at as we speak, which is expected to come into force in early 2017. Data protection laws are really going to start to have teeth. The details have yet to be finalised but it's expected that much, much higher fines are due to be enforced, and that they will be based on a percentage of turnover. I also expect to see much more prescriptive rules around processing of personal data and much more accountability placed on those deemed to not be taking things seriously.
Businesses will need to make sure they have all of their due diligence in place now that the terms of the agreement are changing. It's about making sure you have an open dialogue with your hosting provider. Call your account manager and ask them whether their supply chain guarantees that their data will not leave the EEA, and preferably UK soil. We have some of the most robust data regulations on the planet in this country.
When re-selling, you might be leaving yourself open to legal issues if you don't also perform the right due diligence on your partners' supply chains. Where is their cloud based? Is any part of it sitting in a datacentre which is outside of the EEA? What are the legal controls like in that country? These are going to be important questions to ask as data protection legislation gets tighter and tighter between now and 2017.
Supply chains are not always clearly defined to your customers. If a firm has partners as far afield as the Far East, and their remote services are being used to process the data for business reasons, you have a duty to ask the question: will I be able to control that relationship? The supply chains and partners within an organisation who provide products and services can present a massive risk for the channel and government sectors in terms of compliance and trust.
From a hosting point of view, those who have rigorous control over their supply chain and wholly UK-based datacentre infrastructure are at an advantage under the new legislation. The rule changes will cause little disruption to those companies. However, the fact that a provider has all the ISO certifications doesn't ensure that all its partners who might process data on their behalf have the same technical controls in place. Not all companies can afford to regulate each of their distant partners. This can lead to issues further down the line if you're using a cloud service which is outsourced far and wide.
The rise of cloud computing has led to more and more data processing occurring in remote locations, and supply chains and datacentres being spread across the globe to meet cloud demand. If your cloud service is outsourced to a third party then there is no guarantee that your data is in an appropriately controlled environment, as required by the Data Protection Act. Most people do not have the time or knowledge to investigate their cloud provider and their supply chain when procuring services, but it is important to ask these questions about where your data will go.
As high-profile data breaches continue to hit the headlines on both sides of the Atlantic, I hope that more businesses will start to take their data security seriously. The Safe Harbour ruling and consumer data breaches have brought the issue into the public eye this month, but as a global tech industry we must work across national and continental lines to improve data security regulations for everyone.
Lawrence Jones is chief executive of UKFast
Security firm set to become part of acquisitive Shearwater Group
Distributor merges three northern sites into one new hub in Warrington
Activist investor puts forward five director candidates as turmoil continues at security giant
Nima Green asks what is driving public cloud uptake in Germany