With the onset of GDPR (General Data Protection Regulation) in May 2018, data protection requirements will become more stringent. The responsibilities placed on an organisation relating to the data it holds will be two-fold:

• As a data controller (where the organisation enters and maintains personal data), the organisation must comply with rules concerning consent, access and transferability
• As a data processor [where the organisation holds data on its own servers] it must follow regulation by ensuring high level cyber security, physical hardware security, strict backup regimes, firewalls and auditing. For example, a data processor is responsible for monitoring the access to the physical equipment on which the data sits, and the route the data takes to be processed. A good way of doing this is to produce an access control policy, which clearly sets out roles and rights of staff members, only allowing staff with sufficient rights the ability to access system

What’s an organisation to do? The answer is to either remain a full data processor – with the responsibilities that come with that – or to outsource all its IT.  An example of the latter is outsourcing to a hosted desktop provider that is accredited under ISO 27001, as it will already have policies and procedures in place which will cover the requirements of a data processor under GDPR.

Security tools previously only affordable by large organisations can be deployed for use by SMEs – affordable now because the costs are shared among users of the outsourcing company’s secure data centre. Services include robust firewalls, enterprise quality antivirus and web filtering, optional encryption of sent emails and management of all access devices [smartphones/tablets/laptops/desktops or thin clients] used by staff.

Outsourcing the storage, backups, security and processing of data to a company that complies with strict data protection regulations will ease the processing responsibility; “ease” because the organisation will still need to make sure that paper copies aren’t left lying around and that staff are given adequate authorisation to manage access to the data. However, the bulk of an organisation’s responsibility under GDPR’s data processor requirements can be safely left in the hands of the professionals at the outsourcing company.

Hybrid solutions, whereby an external IT company manages in-house equipment, can also work, but in such instances one needs to be particularly careful to use a very reputable IT company. For a hybrid IT solution, using the wrong kind of support company may hinder rather than help.

Let’s consider the following two scenarios: (i) the data storage is remote but the processing local (i.e. on the organisation’s own servers).  In this case, the organisation will still be considered a processor (ii) the organisation brings in an IT provider to manage the servers, but the servers are owned by the organisation. In this case, the organisation will still have the responsibilities of a processor. IT providers cannot typically take responsibility that the personal data customers hold is GDPR compliant and therefore the organisation must ensure that the data held complies with the rules.

However, when it comes to processing responsibilities, the burden of compliance will fall somewhere between the organisation and its IT provider. What an organisation must ensure is that it is working in perfect synergy with its IT provider in setting out the GDPR processing responsibilities. They need joint access policies, joint security policies and so on.

In summary, outsourcing all of the IT can greatly simplify the GDPR management process, while a hybrid solution can be GDPR compliant, but the organisation must be extremely diligent as to which IT vendor it chooses as a partner to ensure that nothing is falling between the proverbial cracks of GDPR’s processing and procedures.

(c)iStock.com/johnshepherd

During a speech at a Conservative Way Forward event on September 9, Liam Fox, the International Trade Secretary, said that Britain had become “too lazy and too fat”, with businessmen preferring “golf on a Friday afternoon” to trying to boost the country’s prosperity.

While somewhat diffused by Downing Street later as “clearly private views”, his statement was certainly thought provoking.

As the CEO of a company that provides cloud-based IT services to hundreds of British businesses, I suggest we have a good ‘bird’s eye view’ of evolving working patterns. Besides manufacturers, our customers include professionals such as lawyers, accountants and recruiters, as well as financial service providers, leisure centres and automobile repair centres. And yes, we also service golf courses.

Our system enables customers to log in from anywhere – golf course, office, home, coffee shop, even when on holiday – not only to view emails or access files but, if needs be, access their entire suite of business applications.

When customers log into their cloud server it is not to surf the internet, but to work. We can share that:

• Customers log in at all times of the day (even at 3am)
• Busy usage typically starts at 7:30am and ends at around 6:30pm (as opposed to the conventional 9 to 5)
• We regularly find customers calling us while working from home

It is apparent that in today’s day and age work habits have changed; namely that the clear division that might have existed in the past between work time and private time has become blurred. With cloud computing, one doesn’t need to sit by one’s desk in order to work. A manager might go to the golf course for a round of nine holes from 12pm to 2pm and continue working until 9pm from home.

I wouldn’t call that person lazy. I am proud that my customers can have flexibility in the way that they work and I know that an efficient IT solution such as ours enhances their options.

As a final thought, and although Mr Fox was referring to businesses, I would like to add a word about the UK’s charity sector. We have dozens of charity customers, and we find that their employees care about the cause that they are serving and are admirably dedicated to their job.

We feel privileged to serve such a hard working clientele.

(c)iStock.com/FrankRamspott

On October 6, the European Union’s highest court struck down a transatlantic pact used by thousands of companies to transfer Europeans’ personal information to the US.

The pact known as Safe Harbour was introduced over 15 years ago and it allows companies and countries outside the EU to declare that they adhere to the stricter privacy and data protection rules set by the European Union. Striking down the Safe Harbour arrangement came in light of recent evidence that foreign entities claiming to adhere to EU standard data protection cannot actually meet the standard when it clashes with the foreign governments’ interests in national security.

This news created speculation about the methods in which the big data companies will get around this ruling. What is clear though is that the European High Court identified an adverse discrepancy in the way personal data is protected in the US versus the EU. UK customers, be they individuals or businesses, need to evaluate the importance they place on securing their data or that of their respective customers, and realise that using foreign companies, albeit large and well known international providers, is viewed by the European courts as potentially compromising that data.

We are all aware that any electronically stored information is at risk of being illegally hacked or compromised, but the court ruling was not relating to the quality of cyber security that companies employ, but to the risk posed by foreign government which may have the right to demand from data providers access to data including that of UK individuals or businesses.

A suitable analogy in the physical world might be comparing between two storage houses. Let’s say both had a burglar alarm and doors and windows secured with appropriate locks. They still both have a risk of burglary. Moreover, both centres would need to let the law enforcement agents inspect the premises if they had a proper court order given on sound grounds.

However, what if one of the centres was located in a jurisdiction where the law enforcement agents didn’t require a court order to enter, what if they just had the key and can roam around freely without even saying why there were there or indeed that they were there in the first place. Now what if the law enforcement wasn’t only the police, but a multiple of unknown government branches? Which storage house would you feel is more secure, the one that needs a court order to enter, or the one where the key is sitting with multiple government agencies?

The same comparison applies to the online world and the European court has recognised that. Storing files or using email provided by a non EU company means that the company doing so is not only breaching security, it might be welcoming the breach through an open front door.

It will now be interesting to see whether the ruling will be viewed merely as a technicality to be circumvented by big companies or will it be seen as a real warning sign and a catalyst for businesses to use smaller European cloud service providers which solely use European data centres and are subject only to European data protection laws.

(c)iStock.com/-MG-

Everyone should back up important or valuable data, whether that data is family photos for individuals or business documents for companies. Individuals may be happy to buy a local hard drive and put it in the attic but for companies where their business depends on their emails or file records it would make sense to have a more robust solution.

Many companies are now backing up their data with cloud vendors. Besides the relative simplicity of this solution, it makes commercial sense to store the backup in a remote location in case the “disaster” doesn’t only strike the main servers but perhaps the entire office or area.

An example of a ‘regional’ disaster occurred in May in Holborn when an underground fire left thousands of employees without power or access to their offices. Backing up from one drive to the other in the same vicinity would have been useless.

It is good practice to back up data, but does everyone also need disaster recovery (DR)? To put it simply, the difference between the two is that a backup ensures there are safe copies of the data, whereas DR typically refers to a solution whereby not only is the data backed up but the company can be up and running within a certain time frame. Backup is just the first component of DR, while a full DR solution will require considerable replication of equipment.

Hopefully, disasters are few and far between and if companies back up their data, to what extent should they worry about the speed of being fully operational if a disaster does happen? The answer would obviously depend on the nature of the company, its needs and budget; but the answer would also depend on the set-up of the company’s primary IT solution. The more complex that arrangement is, the more complex and expensive the DR solution will be.  

Balancing

I would like to explore these considerations in more depth. Firstly, there is the question of balancing between cost and need. No one wants to stop working for a few days, but if the company could survive with patchy IT for a short time while the primary IT solution is being restored, perhaps it is not worth maintaining an expensive DR solution for years in anticipation of the disaster which hopefully will never arrive. If on the other hand, the company cannot survive without continuous IT, then it probably cannot cut corners when preparing for a disaster.

If we were to compare this to bike riders, some will go out for a Sunday spin without even a spare inner tube, while if they are racing in the Tour de France they will have a support vehicle with spares for every part – plus mechanics who will get the cyclist back on the road in no time should anything happen to the bike.

Secondly, besides the balancing of cost and requirement, there is a question of the ease in putting the DR solution into place. When a company manages its own servers, DR becomes a stand-alone project which typically requires an additional vendor relationship, dedicated communication solutions and a complete reconfiguration of the IT infrastructure. However, when a company has 100% of its primary solution in the cloud, then backup and even a variety of DR solutions are simple add-ons.

DaaS and DRaaS

The hosted desktop solution, which provides a holistic cloud service for companies and removes the need for any internal IT management, is sometimes referred to with the acronym DaaS or Desktop as a Service. The idea is that all of a company’s IT needs can be bought on a per-user per-month fee. Similarly, companies using the Hosted desktop can have DRaaS or disaster recovery as a service. Here, too, the company need not worry about DR or the CAPEX outlay, because it is all provided as part of the service.

Let me try to explain using an analogy from another industry.  Imagine that you own a brand new Mercedes, but rather than service it at the authorised garage, you decide to use the local mechanic; then you try to go to the Mercedes authorised dealer to rent an equivalent replacement vehicle while your car is in service with the mechanic. This is doable, but it would involve more paperwork, potentially more cost and certainly less peace of mind. If your car is precious, which it is, would you not prefer to outsource the maintenance to an authorised professional dealer which provides a warranty, peace of mind and a replacement car as standard?

Similarly, for your business’ precious IT, using a top hosted desktop provider offers not only peace of mind for all of your primary use, it offers backup and even disaster recovery as standard. Using your fleet of cars should be a pleasant, seamless experience. Why shouldn’t using your IT be the same, particularly if is being managed via a company holding the ISO 27001 accreditation?

If peace of mind can apply to how a vehicle is serviced and generally looked after by its supplier, the same can apply to IT and the cloud. ISO 27001 is the international gold standard for information security management.  Accreditation – by, for example, a cloud services provider – ensures that that standard runs throughout the provider’s services – and is a guarantee that all the steps that should be taken to safeguard a client’s information are rigidly enforced.  DR and backup, and all that is between them, are covered by the standard.  

(Image Credit: iStockPhoto/iStockFinland)

Recently I read a fascinating article by Rachel King in the WSJ CIO Journal titled “Google moves its corporate applications to the Internet”. This article was of particular interest to me because I manage a company that offers a hosted desktop solution to SMEs, and what is described as Google’s “new approach” is the approach that our customers have been benefiting from for years.

Here are just a few examples of quotes from the article:

“Google Inc., taking a new approach to enterprise security, is moving its corporate applications to the Internet.”

“That means employee access is treated the same whether the user is at a corporate office, at home or in a coffee shop.”

“Google tracks and manages all employees in a user database and a group database that is tied into the company’s human resources processes. These databases are updated as employees join the company, change responsibilities or leave the company.”

For our customers, all their applications are hosted and backed-up securely in the cloud, as is their data. Employees are treated the same whether the user is at a corporate office, at home or in a coffee shop, and our customers manage user permissions and update these as the employees join the company, change responsibility or leave the company.

Google is a great company, perhaps even the greatest, and they’re taking the right approach to corporate applications. I would go one step further and recommend Google to move to the full hosted desktop. While Google is securing each device, thereby creating a hybrid of local device and cloud, I would recommend that they adopt a full cloud solution whereby all data, applications and computing are in the cloud.

By remaining device dependent they are reducing their own flexibility; for example, what would happen if an employee went on a business trip and forgot their “approved” tablet at home? Would they be able to access all of their applications from any device? For this reason, for most of our customers, the device doesn’t matter; as long as the individual is securely authenticated, the employee can work not only from everywhere but also from every device.

For those customers with extra security requirements, we offer a two form authentication (2FA) process which continues to allow access from any device, but might require the entry of a password sent to the employee’s mobile phone. Becoming device agnostic is not only secure, but it removes the need to manage certain devices and allows a bring your own device (BYOD) policy.

The cloud need not be only for data backup or only part of a wider hybrid solution. Many companies can move 100% to the cloud while enjoying the benefits of flexible work, security, improved cash-flow, and, in many cases, cost reduction. The biggest benefit of the cloud may be that it removes the worry of dealing with IT from the business managers, thereby allowing them to get on with what they do best.

I take pride in the fact that our customers – recruitment companies, financial brokers, accountants and charities, ranging in size from two dozen to a few hundred employees – are enjoying a service not too dissimilar from what is described as new in relation to Google, Coca-Cola, Verizon Communication Inc and Mazda Motors Corp.

Jon Oltsik, senior principal analyst at Enterprise Strategy Group, an IT research firm is quoted in the article as saying – “There’s not a company anywhere that won’t have to develop something like this.”

We couldn’t agree more.

Do you think Google should move to a full hosted desktop? Let us know in the comments?