Home Articles Whose Data is it Anyway?

Whose Data is it Anyway?

archives2013

By Nick Prescot, Information Security Analyst, Firehost

In the increasingly complex world of hosting – shared, dedicated managed, virtualised and the like, there is an increasing concern about data ownership.

Putting all your data in the cloud has become fraught with many security and compliance concerns, but what is interesting is that data ownership is often overlooked. With the new EU data protection directive currently being debated in the European Parliament, the question of whom owns what data has become far more pertinent.

As it currently stands, all organisations in the UK are subject to the UK Data Protection Act (UK-DPA). This piece of legislation defines three main categories of data ownership, the first being a ‘data controller’ – which is responsible for individuals’ data and ensuring that it is processed in accordance with the Act’s wider principles. The data controller can also ask a ‘data processor’ to process the data on their behalf, but the data that is being moved around must be given the same protection that the data controller is required to give. Last, but not least, is the ‘data subject,’ who is the individual whose data is being given to the data controller and processor to move around and utilise.

The new EU data protection directive currently being debated in the EU parliament intends to fundamentally change how personal data (including credit card data[1]) will be processed, and what the penalties for data misappropriation will be.

The new EU data protection directive currently being debated in the EU parliament [will establish] what the penalties for data misappropriation will be.

The main proposed elements of the new EU data protection directive are:

  • The data processor and the data controller will be held equally responsible for the management and the movement of data
  • Compulsory breach notification to the local authorities if personal data has been breached
  • Punitive fine of up to two percent of global turnover if the data controller/processor has been determined to be in breach of the data protection laws
  • Harmonisation of the data protection laws across the 27 European member states

The proposed changes are an evolution of what has been previously enforced as are the responsibilities of those handling data. The control and processing of data will be much more onerous on the entities that are processing personal data.

The Information Commissioner’s Office has publicised that it will fine organisations up to £500,000 for a breach of personal data.
At this stage, it is important to separate the potential effects these changes will have on the public and private sectors in the UK. The Information Commissioner’s Office has publicised that it will fine organisations up to £500,000 for a breach of personal data. To fine a public sector organisation such amounts will unlikely force it to close, but it will probably have to re-adjust its budget, which will impact the services the entity delivers. For the private sector, the financial impact is often more severe, as the reallocation of funds is more challenging. For both types of organisations, reputation damage cannot be escaped.

The proposed evolution of the EU-wide data protection directive will have a substantial impact on hosting providers, therefore all businesses that host their data with a third party (data processor) should take note. The last EU Data Directive was passed in 1995 before the Internet went mainstream so a unified approach across the EU will harmonise the approach to data privacy and protection across the 27 EU member states. Not only will the data controller be required to provide more assurance in terms of managing the data, the data processor will be required to undertake the same level of assurance.

The fact that data processors, such as hosting companies, will bear the same burden of regulatory responsibility as data controllers means that more care needs to be taken during the evaluation of potential cloud providers.

Once the bill is passed (likely in 2014 and implemented in 2016), cloud providers’ data protection and privacy programs will need to be more carefully reviewed for alignment with the imposed regulatory climate. Whilst the new EU data directive is being discussed, the issue of data sovereignty needs to be explored and each provider’s practices fully understood. These issues are important for all cloud providers regardless of where they are based or from where they operate. For providers based outside of the EU, full understanding of the provider’s Safe Harbor status, their stance regarding the laws governing data privacy in their country of origin and how they plan on meeting compliance with the EU directives and data sovereignty are all of paramount importance.

[1] Reference the Lush decision by the ICO