In order to ensure compliance with existing and emerging data protection legislation, UK organisations of all sizes need to know where in the world their data is stored and managed when they choose to use cloud services, applications and backup. If comprehensive questions about data sovereignty are not currently part of your data governance strategy – they should be.
Cloud computing has relied heavily upon a globally distributed infrastructure, to offer the economies of scale that keep prices down – with data travelling to data centres outside the UK and Europe for cost and redundancy reasons.
Defining the right data safeguards
European data protection laws were in place before cloud services became a pervasive computing option, but the intent was clear, personal data could only be transferred to countries that could demonstrate the right data safeguards. So who defines what is ‘right’?
When the activities of Edward Snowden and the PRISM programme became public in 2013, it not only revealed the scale of data collected from US Internet companies, but also the fundamental differences between Europe and the US on privacy rights.
Organisations realised that, if their data was held in the cloud by a company registered in any foreign country, the provider would be compelled to abide by the local data access and privacy laws. This lack of control over data put European companies using cloud services and applications at risk. Data sovereignty was a significant driver for the European Court of Justice Declaration in October 2015 that the Safe Harbour agreement, in place since 2000 as a way for US firms to transfer data from Europe without breaking its rules, was invalid. This meant that as far as the EU was concerned, the US could no longer guarantee the ‘right’ data safeguards.
In response to concerns about data location, France and Germany have already brought legislation into force that all personal data must be held in country. Companies such as Amazon and Microsoft are heavily investing in European facilities to help their customers choose where in the world they want to store information. But will changing the location of a service provider’s data centres be enough to prevent UK companies potentially falling foul of data protection legislation? In our experience, no.
Beyond location – the questions you need to answer
Countries across the globe are reviewing their data sovereignty laws – including data transfer, privacy, encryption, storage, backup, and overall information governance.
This diversity of regulatory frameworks will be a challenge for global organisations and cloud providers. The EU is one of the few areas seeking to harmonise legislation and reduce the administrative burden for any organisation that processes EU residents’ personally identifiable information (PII). From 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into force bringing with it much stiffer penalties for data breaches.
In a recent survey by the Institute of Directors, 43 per cent of organisations did not know where their data is stored . If organisations are going to reduce the risk of data protection non-compliance, UK PLC needs greater control of data sovereignty. And even if the major cloud providers take an 'if we build it locally they will come' approach, having a UK or European data centre may not be enough to ensure comprehensive compliance.
In our experience, if you are considering any cloud-based service, you should be asking providers the following questions:
1. Where is your data stored?
This may be the most basic of questions to ensure data sovereignty, but you must understand where your provider’s business is registered and headquartered. If it is not in the UK or Europe, this could impact which privacy laws impact and potentially allow access to your data. As part of your data governance and compliance strategy, you may decide to use different providers for different types of cloud services. For example, for spinning up a development environment with dummy data you may not need to think too hard about where the data is processed – unlike the compliance requirements that control your Customer Relationship Management system, health or any other confidential, regulated information.
2. Who has access to your data?
In order to offer 24/7/365 services, some suppliers, particularly Managed Security Services Providers (MSSPs), have follow-the-sun data centre infrastructures. This means that when UK analysts finish their shift, colleagues in Asia take over the task of monitoring systems and data. In this scenario, although your data may be physically held onshore in the UK or even near shore in Europe, the people accessing it may be in a completely different jurisdiction which is not governed by the same data protection regulations. Understanding who can access your data is particularly important for organisations that require analysts to have specific security clearance.
3. Where is your data backed up?
One issue that has emerged recently is that some cloud service providers do not hold backup copies of your data in the country where it is processed. This again means that the version will not be governed by the same data protection rules and could be at risk. This is a question you may particularly want to ask of your chosen cloud file sharing service, as many of these providers keep copies of data off shore.
4. How is your data encrypted?
You may encrypt your data as it traverses the internet (known as data-in-transit) in the form of https (secure web) or virtual private networks (VPNs). But what about where your data is stored (known as data-at-rest)? Is offsite back up media encrypted on tapes or hard drives? Is the cloud storage solution encrypted at source? Laws commonly dictate that data is encrypted when in transit, but many countries also require that certain encryption standards apply when data is at rest. Are all our service providers able to guarantee that they comply with all relevant encryption standards for your business?
The data sovereignty imperative – part of doing business
As part of your data governance strategy, you may decide that it is an acceptable risk to hold some information off shore, but in some instances organisations will not have a choice. Any business that wishes to tender for Government business must now adopt the Cyber Essentials Scheme (CES). Part of CES, which concentrates on the top five cloud security principles, dictates that all Government data must remain ‘on shore’. This is just one example of how decisions around data sovereignty can have a direct impact on business opportunity.
Although the rules still have some time to evolve, we anticipate that as the EU General Data Protection Regulation (GDPR) creeps closer, businesses of all sizes will need to ensure that they meet data sovereignty requirements as part of their overall compliance with the directive.
Next steps for data protection
- Build a data governance strategy; understand where your data is retained, where your data is backed up, and whether or not it is encrypted
- Understand who has access to your data. Seek clarity on who administers it and what type of reporting you will receive
- Think about how your data governance fits within your wider cybersecurity maturity model
- Demonstrate your commitment to cyber maturity with the right accreditations from Cyber Essentials to Public Service Network (PSN) Accreditation
- Ensure you will comply with EU Data Protection by choosing Data Sovereign MSSPs
Paul Rose,Chief Technology Officer, CNS Group