Last year saw the phrase “cloud computing” enter the mainstream, with a lot of buzz about its manifold benefits. But, as with anything else, those benefits come with a number of potential problems. GB investigates.
Last year saw the phrase “cloud computing” enter the mainstream, with a lot of buzz about its manifold benefits. But, as with any other kind of computing, those benefits come with a number of threats and potential problems. Andrew Scott, a partner at law firm Dickinson Dees, sets out what businesses need to know.
At first glance, cloud computing looks appealingly simple. There’s the potential to store all your data and applications in “the cloud” (or in more prosaic terms, in an external data centre), meaning that information is properly backed up and secured, while applications are updated automatically. End result: a lot less hassle, with the box on your desk that gave you so much trouble becoming increasingly irrelevant.
Well, that’s the hype, and there is an element of truth in it. Growing businesses are particularly well-placed to benefit because they can more quickly get up to speed with new technology. But there are potential pitfalls, which you need to address from the start of any contract discussions.
Approach an agreement with the same due diligence as you would any IT services contract. Even though no team transfer is involved, transferring data and business-critical processes outside the organisation should not be taken lightly.
A recognised problem with the cloud is lack of transparency because, by default, it takes an element of the IT infrastructure out of the company’s control. There is little or no visibility into the processes behind the cloud and this is why you need to be satisfied with the key performance indicators (KPIs) offered by the service provider and agree an acceptable percentage of downtime and maximum number of outages within a set period. There should also be a clause on data cleansing following termination of a contract. This will ensure that data does not still reside on the service provider’s servers, even in “shadow” form.
In addition, close attention must be paid to the jurisdiction of the territory where the data is held. It may not matter much to you whether your customers’ personal details are stored in Milton Keynes or Mumbai, but for legal or compliance purposes it could be vital. Bodies with audit rights such as regulators or taxation authorities may also demand to know exactly where data is kept.
You also need to be aware of data protection requirements. Depending on the nature of the service, you are likely to remain the “data controller” for legal purposes even if you are, effectively, outsourcing that control to someone else. You therefore remain liable for compliance with security requirements (among other things) and for ensuring that any personal data is adequately protected in the overseas location.
Although care is needed to handle the above issues and mitigate threats, there is no reason to believe that legal and regulatory requirements will pre-empt the use of cloud computing in the financial services sector. As always, however, the devil lies in the detail.