A dark cloud of governance
Running a Q&A session at a recent Cloud World Forum in London, I was on stage with Adrian Steele, IT director of The Royal Mail.
He’d just migrated 30,000 desktops to the cloud. Did anyone have a job bigger than that? One person from “a large government department” raised his hand. How developed was his cloud programme? “We haven’t started yet,” he said reluctantly. “There are, er, governance issues.”
Most of the audience concurred. Very few had started a cloud migration programme. The vast majority were worried about the legal, rather than the operational, implications: a dark cloud of governance problems makes it more than your job’s worth to burst to the cloud. More surprising, the group on stage, exemplars of cloud migration from all over Europe, agreed. They could do more, they said, but feared falling foul of what they considered to be obsolete regulation.
When it comes to governance problems, the IDC reports that 43% of users are concerned, compared to 39% of non-users, in a recent European survey. The UK government’s ‘G-cloud’, promised in its cabinet office ICT strategy paper in March 2011, is off to a slow start. A freedom of information request found that six out of 25 departments had no plans to adopt cloud technologies at all, while only two – the Home Office and the Department for Work and Pensions – were using cloud technologies already.
But what is to be done? “Specifically, it’s data protection law that predates the cloud,” says Kim Walker, a partner at lawyer Thomas Eggar. She specialises in the UK’s Data Protection Act 1998, which mirrors admirably tough legislation across the EU – though it’s less admirable if you’re trying to buy or sell cloud services. “It’s not easy to follow the letter of the law. If you apply it as it stands, there’s an argument that no one can do anything.” Her example: if you provide cloud services, you’re a data processor. Customers need a fully negotiated written contract under EU law, even to burst when the load on their website needs to be offset. That’s before the problems of transferring data out of the EEA, safe harbour agreements and specifying locations where data must reside – which vendors don’t want to do, and customers don’t want to pay for.
In Walker’s experience, the industry operates a don’t-ask, don’t-tell policy: “People tend to go ahead, if they can demonstrate they have taken all appropriate steps, rather than obeyed the letter of the law.” That’s how commercial clients with experience of governance get to yes. For government departments with tens of thousands of desktops, it means the cloud project is stuck at no. Walker suggests that customers would pay a premium for the vendor who is active in removing European legal roadblocks, simply to give comfort to their bosses. So what should the vendor lobbyists be demanding? “I’ve no idea,” Walker admits, “but they will have to join a long queue.”