Dealing With Data Privacy in the Cloud

BrandPost By Paul Trotter
Jun 29, 2015
Data and Information Security

Data has become a buzzword that means different things to different people, but all organisations agree that understanding customer behaviour, sales performance, and information processes can build a platform for achieving business success.

However, our reliance on data and the potential pitfalls associated with managing it have given rise to the need for safeguards for the protection of information, particularly in Europe where the General Data Protection Regulation (GDPR) will soon come into force. GDPR is designed to harmonise the current data protection regulations across EU member states, with strict data compliance stipulations and the possibility of huge financial penalties for those who breach of the rules.

While the regulation doesn’t deal specifically with cloud service providers, it does have implications for organisations that use cloud services to store data. And with many companies in need of guidelines on how to deal with new approaches to data management, it’s time to turn to the experts.

We spoke to a number of thought leaders based in Europe to get their view on the steps organisations should take to ensure data is managed correctly in the cloud when GDPR comes into force.

“Even though the law-making process often appears to move at glacial speed, there is no doubt that the EU Data Privacy Regulation is coming,” said Richard Edwards, Principal Analyst at Ovum. “Whether it actually comes into force in 2017 or 2018, companies offering or using cloud services in EU territory need to pay heed to it now.”


Christian McMahon, CIO at three25, a technology business consultancy in the UK, said organisations should initially research how GDPR applies to their business, and benchmark their current level of compliance before detailing where change is necessary. Many may benefit from the appointment of a data protection officer, he said. However, he added that none of the above should affect a company’s move to the cloud.

“Unless your data is in such an amorphous state that you cannot remodel it to fit the new standard without teams of data scientists and alchemists, the move to a cloud strategy may be a sensible and cost-effective approach to doing it all in house,” said McMahon. “Any well-governed cloud vendors should already be on point to restructure their applications and services accordingly to accommodate said changes with many being ready a long way before you can make your own internal changes.”

Adrian Bridgwater, an enterprise IT blogger for a number of B2B sites, including Forbes, agreed that many reservations over placing data into the cloud were misplaced, including fears over security.

“If the single biggest concern centres around the security of placing data in multi-tenant public clouds then this is a misjudgement,” he said. “If anything, providers of public cloud managed hosting services know a lot more about system security than most individual firms. Second, privacy policy controls stipulated upon instances of private cloud may be harder to update that those held in public environments where service layers are stronger.”

Indeed, confidence in cloud security is growing, according to the 2014 IDG Enterprise Cloud Computing Study. The survey found that the vast majority of enterprises were “very” or “somewhat” confident that the information assets placed in the cloud are secure.



However, data regulation is likely to encourage many companies to take a hybrid approach, allowing them to separate the data from the application. That way the application resides in the public cloud, and critical data is stored on a private network, in theory giving companies more control.


René Büst, Senior Analyst and Cloud Practice Lead at Crisp Research, said many CIOs are focusing on the issue of “data gravity” – the difficulty of managing and moving data as it becomes more important and intrinsically linked to the services and apps that rely on it. He said data gravity is an issue for organisations either because of the size of the data, or because of the legal conditions that require it to be stored in an organisation’s own environment.

“A hybrid infrastructure design is an approach to deal with data gravity and to reduce the concerns over data privacy regulations,” said Büst.  “Legally sensitive data stays in a private cloud and the non-critical data can be moved to a public cloud. Another solution is to let the cloud services access the data in a hybrid cloud model without moving them.”

That way, data is not directly stored in the public cloud. Instead cloud services are accessing data stored in a private cloud via a direct connection only during the processing time.

Craig Allen, CEO of ITHouse Solutions, a UK-based enterprise service provider, added that it’s always good practice to encrypt data “in motion and at rest without giving your cloud hosting company access to your keys.”

“The cloud is safe and will meet and exceed your requirements as long as your business takes reasonable precautions and decisions to manage and protect your data,” he said.

Ultimately, all contributors agreed that companies should not use GDPR as a reason to delay cloud investments. Instead, they should find out the implications of data privacy regulations in order to embrace the cloud at their earliest convenience.

“Data privacy as it stands now and the new EU regulation when it comes into force in a couple of years are issues to be understood properly and handled. It shouldn’t hold back a company’s strategy to move to the cloud,” said David Terrar, founder of digital transformation and social business consultancy Agile Elephant. “The business agility and competitive advantages gained from a well-executed cloud strategy are too important to be delayed in the current competitive landscape.”


Dale Vile, Research Director at IT analyst firm Freeform Dynamics, suggested anyone saying that their cloud computing strategy is being held back by privacy regulation is almost certainly using this as a smokescreen to hide other objections.

“The reality is that privacy considerations simply do not apply to most cloud use cases, and even where they do, it’s perfectly possibly to work through the issues and find a solution,” Vile said.

McMahon said companies will have to abide by the new legislation or guidelines if and when implemented, so would be wise to research how GDPR applies to their business right now. “Use this time as an opportunity to reconsider your approach to the cloud,” he said. “Failing that, you could always retrain as a GDPR expert advisor as I feel you may have a steady revenue stream in the not so distant future!”