GSA UK - Cloud Computing: Flying High?

Founding Member of FormIGA – the global Industry for Good Alliance

Home
RESOURCES
Industry News
Cloud Computing: Flying High?

Cloud Computing: Flying High?

1 Apr 2011 12:00 AM | Anonymous

Cloud computing is obviously on an upwards trajectory, with Gartner predicting cloud services growth from $46 billion to $150 billion between now and 2013.

Cloud solutions can offer potentially cost effective and flexible service offerings. However, these solutions, often reasonably, involve important operational and legal constraints and risks. Key operational risks are, unsurprisingly, centred on the reliability and security domains but are the legal risks always as clear?

This article seeks to assist the reader’s understanding of legal risks associated with cloud services, to help better inform business decisions.

Protecting Important Business Data

Often involving the overseas processing of business data, it is imperative that the use of cloud services is consistent with the customer’s regulatory and other data compliance requirements (e.g. the Data Protection Act, and, for those working in the FS sector, the Financial Services Authority's data security requirements). In a nutshell, the primary focus of this legislation and regulation is that data is appropriately and fairly protected, controlled and used.

Critically, under UK data laws, just because the cloud supplier is housing and processing your business data, this does not relieve you of obligations as a data controller. If improper disclosure, use or loss of personal data occurs you must be able to show you took appropriate compliance steps or risk fines and even prosecution (on top of the almost inevitable public relations issues).

Key questions include, therefore, does the cloud service you are considering provide commitments to practical protections (e.g. does the supplier commit to compliance with ISO/IEC 27002)? Is there a requirement for the supplier to maintain ‘on-shore’ data backups? Do the contract terms allow you access to your data or that it be promptly deleted should you require it? You should review the cloud supplier’s terms and assess, given the nature of the data concerned, whether these and related issues are adequately dealt with.

It is also important, where the supplier moves the data off-shore as part of the cloud service, to ensure the requisite consents to process data overseas have been obtained from the data subjects.

TUPE

It cannot be assumed that legal requirements associated with more traditional outsourcing do not apply to cloud services. This notably includes the Transfer of Undertakings, Protection of Employment (TUPE) regulations. These regulations help protect employees’ rights when a business undertaking is transferred to another body - which might include moving a customer’s traditional service to a cloud service, especially where the transfer remains within the EU.

TUPE could transfer to the cloud supplier the employment of staff formerly delivering the service. Cloud suppliers' business models are invariably not premised on accommodating such transfers, as the services are designed to be readily scalable and often not labour intensive. Under TUPE the customer may face financial exposure if staff claim they have been unfairly dismissed by the customer as part of any associated down-sizing. These costs can be considerable, even weighted against significant cost savings or other service benefits.

Standard Terms

Customers should appreciate at the outset that many cloud services are offered using a set of the supplier's standard terms – these often lay the majority of the legal risk at the customer’s door. Typically, and alarmingly, the terms might include:

• very strict limits on the supplier's financial liability;

• rights for the supplier to change the service offering on little or no notice;

• little clear provision for exit or associated costs (is there a risk that what seems an agile and flexible cloud service offering at the outset, results in a longer term lock-in?).

Another consideration is whether the contract terms permit the supplier to sub-contract its obligations to other providers (with whom the customer may be less familiar, having not conducted related due diligence) and, if so, on what terms. Again, the flexibility and financial benefits of cloud services may come at a price in terms of risk.

Procuring Cloud Services

The above comments should not be interpreted as suggesting that cloud offerings are a hugely risky proposition, with cloud suppliers showing disdain for the needs and concerns of customers. Far from it. However, the model inherently means that risks relating to matters such as data controls can be exacerbated. Furthermore, fundamental legal issues when contracting for traditional IT services do not magically go away by selecting a cloud services solution.

Negotiation of terms and conditions for cloud services is often strongly resisted by suppliers. Consequently, it requires addressing early and resolutely in the procurement process. Such efforts are worth the investment, if significant risks are present. The service benefits are clearly there and the risks should be open to control and mitigation.