The (based on the EU Data Protection Directive 1995) has been around in one shape or another for quite some time, so awareness is high among affected organisations. But the Act's stipulation that personal data should not be transferred to a country or territory outside the European Economic Area - unless that country provides an adequate level of protection - isn't always factored in to the decision-making process where cloud-based services are concerned.

Sometimes this happens because the money comes from departmental budgets, and is spent by people who are not aware of the implications of their actions; sometimes the ignorance is higher up the food chain.

"A minority of organisations are getting very smart about incorporating information security and sovereignty into their contracts with cloud-based providers," reports Rob Rachwald, director of security strategy with Imperva (a data and application audit and security specialist), and may even go as far as auditing their cloud-based service provider.

"It will get better, because it's an evolutionary thing," he says, but at the moment, most organisations are less evolved. "When you go into the cloud, it's often because it's cheaper, and you think you can forget about hardware and software," he explains, "so a lot of organisations don't think about issues such as data security or sovereignty until there's a problem."

Cloud computing allows you to abdicate responsibility for a lot of the processes that would otherwise need to accompany their use of computing resources, but this doesn't include compliance with data protection law; so users of cloud services must know the physical location of the servers on which their data is processed and stored.