A dark cloud of governance
05 August 2011 | Tim Phillips
Running a Q&A session at a recent Cloud World Forum in London, I was on stage with Adrian Steele, IT director of The Royal Mail.
Hed just migrated 30,000 desktops to the cloud. Did anyone have a job bigger than that? One person from a large government department raised his hand. How developed was his cloud programme? We havent started yet, he said reluctantly. There are, er, governance issues.
Most of the audience concurred. Very few had started a cloud migration programme. The vast majority were worried about the legal, rather than the operational, implications: a dark cloud of governance problems makes it more than your jobs worth to burst to the cloud. More surprising, the group on stage, exemplars of cloud migration from all over Europe, agreed. They could do more, they said, but feared falling foul of what they considered to be obsolete regulation.
When it comes to governance problems, the IDC reports that 43% of users are concerned, compared to 39% of non-users, in a recent European survey. The UK governments G-cloud, promised in its cabinet office ICT strategy paper in March 2011, is off to a slow start. A freedom of information request found that six out of 25 departments had no plans to adopt cloud technologies at all, while only two the Home Office and the Department for Work and Pensions were using cloud technologies already.
But what is to be done? Specifically, its data protection law that predates the cloud, says Kim Walker, a partner at lawyer Thomas Eggar. She specialises in the UKs Data Protection Act 1998, which mirrors admirably tough legislation across the EU though its less admirable if youre trying to buy or sell cloud services. Its not easy to follow the letter of the law. If you apply it as it stands, theres an argument that no one can do anything. Her example: if you provide cloud services, youre a data processor. Customers need a fully negotiated written contract under EU law, even to burst when the load on their website needs to be offset. Thats before the problems of transferring data out of the EEA, safe harbour agreements and specifying locations where data must reside which vendors dont want to do, and customers dont want to pay for.
In Walkers experience, the industry operates a dont-ask, dont-tell policy: People tend to go ahead, if they can demonstrate they have taken all appropriate steps, rather than obeyed the letter of the law. Thats how commercial clients with experience of governance get to yes. For government departments with tens of thousands of desktops, it means the cloud project is stuck at no. Walker suggests that customers would pay a premium for the vendor who is active in removing European legal roadblocks, simply to give comfort to their bosses. So what should the vendor lobbyists be demanding? Ive no idea, Walker admits, but they will have to join a long queue.
30 October 2017 | Editorial
18 January 2013 | Guy Matthews
16 January 2013 | Alex Hawkes
10 January 2013 | Tim Phillips