In this article, we break down government initiatives that are driving public cloud adoption and key compliance regulations you should know as a public sector organization that is planning to, or already operating in the cloud.
Throughout the past decade, public sector cloud adoption has increased as European countries focus on digitally transforming workflows, commonly referred to as e-government initiatives. The British exit from the European Union is playing a particularly critical role in the transformation seen across the UK, as government agencies realign resources and develop plans to adjust to this economic change.
To bolster their position in the digital economy, the UK has documented its strategy related to digital transformation and the use of the public cloud. Specifically, the UK government seeks to improve the experience for citizens, fully transform departments, improve collaboration across organisations, and ensure data is safeguarded.
To this end, the UK Government provides guidance, publications, and declarations related to this strategy to aid public sector organisations as they adopt public cloud. A broad set of compliance and regulatory controls have also been put in place to standardise cloud usage and safeguard sensitive information.
With all the information and regulations out there, it can be difficult to cut through the noise to understand what’s important for your organization to put into place and what resources are available to help. In this article, we break down government initiatives that are driving cloud adoption and key compliance regulations you should know as a public sector organization that is planning to, or already operating in the cloud.
Four government initiatives driving cloud adoption that you should know
- Local Digital Declaration: The Local Digital Declaration was established to develop common building blocks to help organisations build flexible services quickly and effectively, and it invites all authorities and organisations to commit by signing.
- Technology Code of Practice: The Technology Code of Practice is part of the Transformation Strategy and Local Digital Declaration, and it provides guidance to help organisations manage the full lifecycle of their technology. It also documents numerous standards across accessibility, APIs, security (from the National Cyber Security Centre), data protection, the Cloud First policy, and more.
- Cloud First Policy: The Cloud First Policy was established in 2013 and mandates that central government consider public cloud computing before hybrid cloud or private cloud options. This policy is also strongly encouraged to be followed by the rest of the public sector.
- Digital Marketplace: The UK Government has a Digital Marketplace for public sector organisations to procure cloud software and services (the Government Cloud “G-Cloud” framework), digital outcomes and specialists, and data centre space.
CloudHealth by VMware is proud to be part of the G-Cloud framework and available to help public sector organisations in the UK align their cloud initiatives to their business goals. You can learn all about the G-Cloud framework, including the inclusion requirements and benefits, in our article here.
Six cloud compliance controls you should know
- ENISA IAF (EU): The European Union Agency for Cybersecurity (ENISA) contributes to EU cyber policy and helps Europe prepare for the cyber challenges of tomorrow. Within ENISA’s Cloud Computing Risk Assessment is the Information Assurance Framework (IAF), which is a set of criteria designed to assess the risk of adopting cloud services, compare different cloud provider offerings, obtain assurance from the selected cloud providers, and reduce the assurance burden on cloud providers.
- EU-U.S. Privacy Shield Framework: The EU-U.S. Privacy Shield Framework is a mechanism designed to provide the secure transfer of data between the European Union and the United States. Most businesses in the U.S. that trade in Europe will be required to join the EU-US Privacy Shield Framework. The Privacy Shield defines a set of requirements that govern the use and handling of personal data transferred from the EU, as well as access and dispute resolution mechanisms that participating companies must provide to EU citizens.
Companies must let individuals know how their data is processed, limit the purposes for which it is used, protect data for as long as it is held, and ensure accountability for data transferred to third parties. In July of 2020, the European Court of Justice challenged the EU-U.S. agreement, and as a result, affected companies will now have to sign standard contractual clauses (non-negotiable legal contracts) drawn up by Europe.
- EU Model Clauses: The EU Model Clauses are standardised contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the European Economic Area (EEA) will be transferred in compliance with EU data-protection laws and meet the requirements of the EU Data Protection Directive 95/46/EC.
- GDPR (EU): The EU’s General Data Protection Regulation (GDPR) protects data subjects’ fundamental right to privacy and the protection of personal data (10). With the introduction of GDPR, businesses operating in the EU have to implement a GDPR data retention policy, and any business that collects, processes, or stores the personal information of an EU data subject must also implement a GDPR data retention policy.
- Cyber Essentials Plus (UK): Cyber Essentials is a UK government-backed scheme designed to help organisations assess and mitigate risks from common cyber security threats to their IT systems that could exploit customer data. Complying to this standard is a requirement for all UK government suppliers handling any personal data. Cyber Essentials Plus includes additional assurance by carrying out systems tests of implemented controls through an authorised third-party certifying body.
- PASF (UK): The National Policing Information Risk Management Policy sets the central standards and controls for law enforcement agencies that are assessing the risk of moving police information systems to the cloud. The policy requires that all national police services in the UK that store and process protectively marked or other sensitive law enforcement information must conduct a physical inspection of the data centre where their data will be stored. A successful assessment determines that a data centre qualifies as a Police-Assured Secure Facility (PASF).
If this feels like a lot to take in, don’t worry! You’re not alone. The CloudHealth platform helps public sector organisations deliver new and improved services to their constituents by accelerating migration to the cloud, optimizing the use of IT funds, and ensuring security and regulatory compliance. Get started with CloudHealth today!
Also, keep an eye on the CloudHealth blog, where we’ll be sharing a follow up to this article with six best practices for public sector organisations to successfully manage their cloud operations. Stay tuned!