Monday, 26 August 2013
Data security contract terms may not be sufficient to ensure compliance in the cloud
It’s seems there is some dissatisfaction in the IT industry about the misleading and downright unclear language used to present terms in data security contracts. Cloud computing outsourced service providers are being asked to check that what they say and actually offer is compliant with data protection rules.
Topics Cloud computing Data protection TMT & Sourcing IT Security Research company Gartner have outlined concerns relating to the ambiguity of cloud contract terms on the subject of data security, predicting that 80% of IT procurement professionals will be dissatisfied with the efficacy in contracts offered by 'software as a service' (SaaS) cloud providers through 2015.
Gartner said businesses should at least agree contract terms with providers that allow for an annual security audit and certification to be undertaken by a third party and insist on a clause allowing them to terminate a contract should a security breach occur and the provider "fails on any material measure".
Businesses should consider whether there are gaps in their compliance in spite of having contract terms in place with cloud providers relating to data protection and security
Under the DPA, data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance". The Information Commissioner's Office (ICO) last year issued guidance on cloud computing in which it outlined its conditional support for businesses using independent auditors of cloud providers' data and security practices when evaluating whether cloud providers meet the standards required.