European cloud adopters cautious on privacy

Phil Wainewright Profile picture for user pwainewright September 19, 2013
Do privacy rules pose a barrier to cloud adoption in Europe? Gatwick's CIO explains how the airport handles data protection in its move to the cloud

Gatwick Airport,UK, May 2000, In-Press (CGA134)
Aerial view of Gatwick

Identity and access management provider Okta is stepping up its expansion in Europe on the back of a new round of VC funding announced a few days ago. But caution about privacy and data protection concerns is holding back adoption in the region, CEO Todd McKinnon told me last week.

Okta customers in Europe include London Gatwick Airport and Swiss building materials manufacturer Holcim. "What people are seeing is that [in] the international markets, cloud is really being adopted and it's catching up. Adoption in Europe is growing quickly," said McKinnon.

But the sales process in Europe is complicated by a web of data privacy and protection rules that vary from country to country, he went on:

"The privacy and the legal issues around data security and access are more complicated in Europe ... If [a business has] a provider in one region but their customers are in a different region, the legality of that is very unclear. There's a general lack of knowledge of what the law is and there's a lot of ambiguity about what the law is.

"It's holding the industry back. Some projects just don't go forwards."

Nevertheless, many decide the rewards of going cloud outweigh any risks posed by the uncertainties, he added:

"Customers and prospects more and more are understanding the benefits of cloud technology and what they can do. The value is getting to an accepted level to which more and more people can live with the ambiguities."

Draft legislation

Europe's 1995-era data protection rules are due to be updated next year with new legislation that aims to harmonize data privacy requirements throughout the 28 member countries of the European Union. The European Parliament is currently reviewing proposals published in January last year with the aim of enacting the legislation ahead of elections next June. But not everyone is happy with the draft legislation and so the timetable may yet meet further delays.

EU commissioner Viviane Reding, who is pushing through the data protection regulations, has also initiated a review of the EU's Safe Harbor agreements with the US in the wake of the Snowden revelations, potentially adding to uncertainties.

The danger is that policy makers in Europe and elsewhere in the world will end up with rules that disadvantage their economies in an increasingly connected world. "It's like global trade. Countries have to deal with it. If countries don't open up to it, they're going to be left behind," said McKinnon.

Gatwick's cloud refit

With 34 million passengers a year, 2,500 airport staff and a further 25,000 users working at businesses that use its facilities, Gatwick Airport has more cause than most to worry about its data privacy obligations. But that hasn't held back a drive to adopt cloud services.

The airport has had to completely refit its IT infrastructure after separating from its former owner BAA in 2010, transferring or replacing a total of 133 separate applications that had previously been run from its former parent's headquarters at London Heathrow.

One of the first cloud applications to go online was an online car park reservation system provided by car park operator APCOA. Implemented in just 16 weeks, the system went live in December 2010 on the same day that a heavy snowstorm hit the airport, successfully processing thousands of cancelations as travelers rearranged or shelved their journeys.

Last year, the airport approved an aggressive plan to move even more of its IT to the cloud. It uses cloud-based services such as Box, Yammer, ServiceNow and Amazon Web Services and has retired 200 servers as it progresses plans to slim down from three data centers to just one by 2016.

Q&A with Gatwick's CIO

CIO Michael Ibbitson answered some questions this week via email about Gatwick's handling of data protection and privacy. Here are the questions and his replies.

What really matters to your customers in terms of data protection and privacy?

Trust is critical. When you travel through an airport you have to share personal information with both your airline and the airport. As an airport we handle approximately 272 million pieces of personal data across our 34 million passengers every year. Protecting that data is absolutely critical and we have robust measures in place to do that.

We have a dedicated team within Gatwick IT that is constantly reviewing and monitoring our systems and processes to ensure we are providing the right level of protection for that data.

Do you have to be more careful about data protection and privacy when you're using cloud services than you did with on-premise systems?

It's all about assurance. When you manage on-premise systems you have to understand and manage the risks that come with it and put in place the right people, process and technology. But you have to take this same approach when using cloud services. The risks are different but you still need to ensure you have the right people, process and technologies in place to manage those particular risks.

At Gatwick we send our team into the offices of the service provider to perform audits and assessments of their processes and technologies. This provides us with the assurance that they can meet our requirements but, just as importantly, it meant that we could give them feedback on what it is we need and give them the opportunity to improve and meet those needs.

In the case of Okta we sent two people to their offices in the US for four days. Okta were very open and receptive to this approach and implemented a couple of changes to ensure they could meet our demands. We will be repeating a review of their services on an annual basis.

It's a larger upfront investment but it provides a significant level of comfort to our executive management, shareholders and customers that we are taking their data protection and privacy concerns very seriously.

What precautions do you take to make sure that, as far as possible, you are compliant with data protection and privacy regulations?

As well as thoroughly auditing the service provider we also ensure that they all meet the EU requirements for data protection and privacy, even those outside the EU. In the case of US companies, those that have Safe Harbour certification meet EU regulations. In our reviews of service providers we assess them against the EU requirements and their own certifications to ensure they are compliant, plus any additional needs that we have.


Enterprises make pragmatic choices to go cloud when the business need is clear. But policy makers need to remove uncertainties that are making that decision process more difficult than necessary.

Photo credit: © Gatwick Airport Limited

A grey colored placeholder image