Drive a progressive strategy
Digital innovation is now a major priority for many education organisations. This is being driven by the expectations of prospective and current students and their teaching and research staff, as well as the progressive IT strategies adopted by other UK organisations (resulting in a need to “keep pace”).
Cloud computing is a proven driver of digital innovation in the UK enabling organisations to meaningfully leverage and exploit state-of-the-art services (using the vast quantities of valuable data they now collect) which wouldn't be possible to deliver in-house.
More and more organisations are adopting cloud solutions to innovate and improve the student experience - by delivering education services through online and mobile means - and to enhance back-office functions.
Realise significant cost savings
This is achieved by reducing spend on traditional IT systems and the often costly maintenance of them, and managing licence fees in a flexible way.
Legacy IT systems can be costly to maintain and can require significant internal or third-party IT personnel to do so. There are substantial capital costs associated with procuring and maintaining a significant hardware estate and also recurring costs relating to patching, applying anti-virus software, encrypting data and so on.
A cloud provider can take care of these activities while spreading costs across its customer base which helps cloud providers to offer affordable licence fees.
Achieved by addressing capacity, redundancy and resilience concerns associated with traditional IT infrastructure and taking advantage of the “best in class” security systems offered by a number of leading cloud providers.
Cloud providers can often offer ISO-standard security, 24/7 support and multiple back-up sites should the primary hosting site encounter a failure. It is unlikely that legacy systems of many organisations will match these standards and a critical failure of a legacy system, with no backup system or available support, could mean that the institution faces real challenges in maintaining business continuity including in respect of services provided to students.
The adoption of innovative cloud solutions doesn’t only create an opportunity for organisations. It also creates risks, meaning there is often a tension between the drive for innovation and the need to mitigate the key risks which arise through cloud adoption.
A constant, crucial consideration for organisations is their reputation with students, staff and the wider education community. Data protection failures are now regularly headline news and so any significant failings by an appointed cloud provider could trigger not only data protection liability and financial repercussions (see below), but severely impact the reputation of the organisation.
It may make financial and operational sense to use a cloud provider to host (for example) student databases but if the cloud provider suffers a major security breach that compromises these databases (meaning that they are in the hands of unauthorised third parties) the students may suffer damage, distress or embarrassment. This can damage the reputation of the organisation even though it did not itself suffer the security breach.
Therefore, think carefully about the kinds of data that are entrusted to cloud providers and compare their assurances on security with what you can deliver in-house.
Data protection and GDPR compliance
Organisations need to comply with the current Data Protection Act (DPA) 1998 and future-proofing for the new General Data Protection Regulation (GDPR).
Key data protection risks will often relate to the following areas:
Location of data (where it is hosted outside the EEA)
Often, cloud providers will provide support and maintenance from a number of strategic global locations (eg United States, India, Australia).
This "follow the sun" model enables the cloud provider to support organisations on a 24/7 basis but care must be taken to ensure that any transfers of personal data outside the European Economic Area (EEA) are done in a compliant way (eg using the EU-US Privacy Shield or EU Model Clauses).
Management of data (including data breach reporting and assistance with student/staff requests for their personal data)
Good data management will be crucial under the GDPR. That applies both to organisations and to their cloud providers.
As an example, if important functions are outsourced to a cloud provider it will be imperative that the provider either supplies (or enables the organisation to retrieve), on a timely basis, all information relating to an individual where they make a subject access request for their personal data.
Termination and exit (ensuring prompt return of data at the end of contract and that the cloud provider does not retain copies)
Though somewhat counter-intuitive, organisations should consider their exit strategy at the very beginning of the process (ie before the contract is signed).
If the solution services business-critical functions of the organisation then it should think about when and how these functions (and any data, including personal data) would be brought in-house or migrated to another cloud provider.
There can sometimes be a discrepancy between the “best in class” security which is offered in practice and the contractual commitments on security which cloud providers are willing to sign up to, as well as a mismatch in expectations on liability caps
Often, cloud providers will seek to limit their liability to a measure of the fees (eg 100% of fees paid). Given the massively increased fines regime and enhanced data subject rights under GDPR (including rights to compensation) organisations may be left with a significant gap between (on the one hand) their potential exposure to regulatory fines, data subject claims and other losses and, on the other hand, what they can reclaim from the cloud provider as losses.
Organisations should consider if the risks of enforcement action and data subject claims can be mitigated through practical (eg limiting the personal data uploaded to the cloud) and technical (eg using encryption and pseudonymisation technologies) measures.
Where the perceived risk is too great organisations may also wish to consider if the service can be delivered in-house and what that means for them if there is (for example) a security breach relating to the internal service.
Threats to research data and intellectual property
Though threats to personal data are a very real concern, organisations will understandably wish to ensure that their research data (which may include personal data and even sensitive personal data, for example in respect of clinical trials) and valued intellectual property are equally safeguarded.
This wider appreciation of an organisation's "data estate" can help to ensure that a more holistic approach to the protection of its information is taken .
The GDPR introduces a new data protection regime that will increase the regulatory burden on organisation "controllers" and cloud provider "processors" but which will also present opportunities and benefits for organisations which meet these new regulatory standards. The key changes are summarised in our guide to preparing for GDPR.
Of particular note from a cloud perspective is the new requirement to incorporate minimum mandatory clauses into data processing contracts, which are much more prescriptive than what the current DPA requires. Traditionally cloud providers have tended to operate on their own standard terms which are often non-negotiable, and so organisations would be required either to get comfortable with those terms from a risk perspective or simply not to procure the cloud solution in question.
That said, we are aware that some cloud providers have a greater understanding of the changing regulatory landscape that their customers operate in (and they are therefore willing to agree the GDPR clauses in their standard terms, with some compromises). Other providers are less willing at this time to engage with customers on an individual basis and may well seek to update their standard terms and conditions closer to 25 May 2018.
Cloud solutions in a GDPR world: top tips
Cloud solutions will invariably form part of an organisation's digital transformation strategy. There can be real pressure to move quickly to embrace new digital technologies and, in some cases, to ignore or abandon legacy systems. Yet this can prove to be a costly mistake if organisations approach this in a reactive, uncoordinated and unplanned way.
There can be significant practical, technical and legal complexities involved in adopting cloud solutions and using them to deliver an organisation's business objectives. This means technological change needs careful review to ensure that any digital strategy is robust and that the risks are recognised and managed.
Organisations should identify their key cloud contracts and put in place a strategy to remediate those contracts (to include the new GDPR contracting requirements) as soon as practicable.
Discussions should take place at supplier level rather than on a “per contract” basis, to improve bargaining strength.
As noted above, because of the "one to many" business model adopted by many cloud providers they may not change their standard terms for "just one customer".
Organisations could have more meaningful and productive discussions with cloud providers where they focus on a smaller number of key risks (particularly GDPR) rather than seeking to amend the cloud provider's terms wholesale (which can lead to wasted time and resource).
Sometimes negotiations can become frustrated because the role of the cloud provider in the supply chain is not clearly understood, which can lead to challenges in agreeing an appropriate balance of risk.
The supply chain in a cloud environment will differ greatly depending on the model being deployed whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), and may include a range of third parties. For example, a SaaS solution may operate on the platform of another provider which is stored on the infrastructure of a further third provider.
Given this complexity, and the propensity of cloud providers to engage with different partners and providers, effective identification and monitoring of risk is demanding both at the outset of a cloud contract and during its term. This is especially important when thinking about the GDPR's requirements on conducting effective due diligence from the outset (see below) and flowing robust contractual provisions down the supply chain.
It is imperative for organisations to carry out effective IT due diligence from the outset as this will help to inform the legal negotiations.
For example, although cloud providers may (in technical terms) offer “best in class” security in state-of-the-art data centres, those data centres may be based in countries/territories which present legal risks that require to be addressed in the contract (eg where those data centres are located outside of the EEA, requiring contractual safeguards to be put in place).
This may become more challenging when the immediate provider has appointed a long line of subcontractors (common in cloud arrangements), thereby requiring the organisation to “look under the bonnet” to understand where its data is being held, and by whom.
Explore our cloud services and find out how they could help your organisation.