New research from cloud and hosting services provider, IONOS, has found that 44% of IT decision makers (DMs) in the UK don’t have a comprehensive understanding of the US CLOUD Act, ultimately putting their data at risk.

The survey, which polled 500 UK IT DMs, explored the industry’s understanding of key data legislation, attitudes towards data storage and cloud services usage.

The US Clarifying Lawful Overseas Use of Data known as CLOUD Act has been a controversial topic since it was passed by US congress in 2018, and even more so since the US and UK signed the CLOUD Act agreement almost six months ago. One key element of the legislation gives US law enforcement authorities the power to request data stored by most major cloud providers.

However, almost half of UK IT DMs (47%) are not actually aware that US cloud hosting providers may be required to disclose customers’ data under the legislation, stored inside or outside of the US, irrespective of GDPR rules.

In contrast, and highlighting the dominance that GDPR has taken in the attention of IT decision makers, 92% of respondents claimed to now have a comprehensive understanding of the EU regulation. While questions have been raised about changes to the legislation post-Brexit, UK businesses must continue adhering to GDPR throughout the Brexit transition period. It’s also expected that the government will include GDPR within the existing UK Data Protection Law so it continues to be enforced after the transition period ends on the 31st December.

Surprisingly, when also questioned about what data businesses store in the cloud, 54% were willing to store personal customer and employee information, and 50% payment information or payroll and accounting data.

“GDPR compliance has been a key focus for many European and Global businesses since it was introduced, but IT professionals are under pressure to keep up with the constantly evolving data security landscape,” explained Achim Weiss, CEO at IONOS. “The US CLOUD Act adds another layer of potential misunderstanding for those hosting with US cloud providers. The only option to immediately minimise risk for EU businesses is to choose European providers that only follow GDPR.”

“What’s also obvious from the findings is that there’s a clear inconsistency between businesses wanting to prioritise data privacy and security, and the actual reality of the situation. As an industry, there’s a vital need for education around storage best-practice, and ongoing knowledge-sharing around how changing legislation could impact data storage for UK businesses – especially during the current Brexit transition period,” Achim concluded.