Obscured by Clouds
Cloud Computing is the coming wave. There is no escaping it. However, when it comes to managing Data Protection and Information Quality we need to be wary that this new Emperor may be somewhat lacking in the clothing department.
There are two areas where organisations need to consider their strategies when interacting with the Cloud are:
- Information Quality
- Data Protection/Privacy
Moving your data into The Cloud will not (on its own) solve your Information Quality problems. Anyone who says otherwise is, to be frank, fibbing to you at best or fundamentally lacks understanding of either the Cloud or Information Quality at worst.
All the Cloud is is a platform. Despite the buzz and hype all the Cloud is is a set of software that moves your data around servers to let your storage scale in a way that fits the economics of your business. One software vendor in the DQ tool space advises clients that:
Companies should first ensure data is complete and accurate, and has passed through all traditional data hygiene checks, before preparing the move to the cloud
This is a good recommendation. However it is NOT information quality management, it is simply data cleansing as part of a data migration. Information Quality Management is a bigger set of tasks which includes issues of Data Governance, process management, risk management etc. The recommendation above just gets your data clean. A bigger challenge for people putting their data in the Cloud is keeping their information at the high quality attained in the migration.
If you can’t implement controls (preventative, detective and reactive) on your information quality within your cloud platform then you should consider whether the low financial cost is outweighed by the “total cost of ownership” of information quality work arounds in the the Cloud.
That total cost of ownership includes all the sound Governance stuff you’d expect to see in a Cloud-free environment, such as proper roles and responsibilities for the information, accountabilities for quality and definition of information, metrics on information quality being generated automatically through scheduled processes, and the overall “Culture of Quality” in your organisation being such that everyone knows the value of the information asset when it is at high levels of quality, and the perils and problems associated with poor quality information and how to avoid them.
Under the EU’s Data
Protection Directive (which underpins the national Data Protection laws in 27 EU Member States) a number of obligations are imposed upon Data Controllers (entities who are capturing personal data) and Data Processors (organisations which hold or process information on behalf of Data Controllers) around the protection of and governance of Personal Data.
The Compliance Better Practice for Data Protection requires Data Controllers using Data Processors to process personal data on their behalf (and the definition of processing is quite broad) is that Data Controllers must:
- Choose a processor providing sufficient guarantees in respect of technical security measures and organisational measures governing the processing to be carried out.
- Ensure a contract is in place that ensures the Processor only acts on instructions from the Data Controller, addresses the obligations of technical security and organisational controls governing the Processing, and ensuring that the information is only Processed on instructions from the Data Controller
- Ensure that either they (or an external firm working for them) periodically audit for compliance with the contract and legal provisions applicable to processing (e.g. the Data Protection Acts/EU Data Protection Directive) OR that the Processor periodically submits a report from an investigation by an independent external auditor regarding compliance with the contract and legal provisions applicable to the processing
Furthermore, the Data Protection Directive places restrictions on the transfer of personal data to 3rd countries (i.e. countries not in the EU or the European Economic Area) which might pose difficulties for Cloud platforms where data is subject to a form of the Heisenberg Uncertainty Principle as to what jurisdiction it might actually be processed in.
The unfortunate thing for businesses which are Data Controllers in the context of the EU Data Protection Directive is that if their Data Processor/Cloud Platform Host’s Terms and Conditions contain any wording which opts out of the types of obligations outlined above. Irish lawyer and blogger Simon McGarr highlighted this back in 2009 when he wrote:
The FAQ for Amazonâ€™s Cloud offering, called S3, baldly announces that â€œAmazon S3 allows customers of Amazon S3 to store their data in the EU; however, it is up to the customers of Amazon S3 to ensure that they comply with EU privacy laws.â€ Furthermore, their Terms of Service states, in all caps for emphasis, that they do not warrant â€œTHAT THE DATA YOU STORE WITHIN THE SERVICE OFFERINGS WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED.â€
Google has similar wording, but without even the opportunity to keep your data within the EU.
The net effect for any Data Controller using a Cloud platform app is that they will be de facto in breach of the EU Data Protection Directive unless their service provider is willing to step up to the plate and meet the obligations of a Data Processor under the Directive.
(The irony is that, in order to comply with Amazon’s Terms & Conditions, it would appear that you might very well be contractually obliged not to use those services after you sign up).
(Check out my tutorial on this very topic that I delivered at Cloud Camp recently)
It is easy in the hype about the Cloud to let our vision of the fundamentals of managing the Information Asset to be come a bit obscured. But, as Bruce Schneier (BT Group’s Chief Information Security Officer) said recently, the ability to demonstrate Compliance with relevant legislation even when in a Cloud platform “will become THE selling proposition”. He even suggested that clients of Cloud platforms might demand that the cloud providers provide insurance and indemnification against liability for breaches of DP regulation (as is required under the Data Controller/Data Processor contracts outlined above). Likewise, being able to trust the quality of your information is a truly platform-independent requirement which will require organisations to step up to the mark in terms of the actual management of information as the technology becomes yet another outsourced Cloudy Commodity.