Journey to the Cloud: Key Things you Need to Know about Data Sovereignty

Cloud-based services can offer organisations significant value. From a cost, maintenance and deployment standpoint, the cloud can deliver applications and data to help organisations move faster and be more competitive.  However, headaches can start when it comes to data, more specifically, where it’s housed and who is looking after it. Even more so now with the incoming GDPR legislation looming. If this isn’t something you’ve given much thought, we would suggest that you need to – and soon.

We’re not suggesting delaying, let alone cancelling cloud migration efforts, but instead making a closer examination of key considerations at the outset.  In particular: where your data will reside, what’s in the small print, and whether your cloud services provider is transparent.

Increasingly we’re seeing pressure put on companies to make data available for ‘security’ reasons, so it’s important that organisations aren’t storing data in countries where such pressure is being applied perhaps unreasonably. For example, if you use webmail provided by an international service provider, your data is held under the jurisdiction where that provider is based.

While we understand that for security reasons, data might be made available for a particular reason, such as suspected criminal activity, we have also seen recently the US government demanding 1.3M IP addresses of visitors to the anti-Trump protest website disruptj20.org. Whether just visiting such a site could be deemed as ‘criminal activity’ is up for debate, but nevertheless, the alleged ‘disruptive’ aspect of the site gave cause for the US government to go to the ISP and demand visitors’ data.  If that data is made available, then how is it going to be used and what’s the risk that it will leak out?

Essentially, if you’re not sure about whether you want your data to be on servers that are under someone else’s legislation, then it’s critical that you ask your provider how and where they intend to store your data. More importantly, you need to be sure that you trust that they are being transparent when it comes to providing the answer.

When it comes to data and where it’s housed, ownership is everything. If your service provider doesn’t have ownership of where your data is stored, then you seriously need to question this. At Intercity Technology, we have 100% ownership of our data centres and we are strict about where data is being held.  Even if presented with a more convenient way of hosting data we wouldn’t sacrifice what we stand by, but that’s a more difficult promise to make for service providers who are using third parties. You need to work with a service provider that understands your concerns around data and meets your needs, not one that expects you to like it or lump it, meaning that you sacrifice what you really require.

If you think about it like this – if you’re a tenant you haven’t got control, you have to ask permission before you can do anything, but when you’re a homeowner you can do what you like as your property is 100% yours and in your control. Similarly, once you have given your data to a service provider that doesn’t own its data centre you’re separated from the people who are physically hosting it.  You’re relying on your service provider to make sure everything runs smoothly, which should be the case for most of the time, but what if they can’t do this because they have limited control and what if something does go wrong? This is when we come back to the all-important question for your cloud service provider; can you really promise me my data won’t leave the UK?

With the upcoming GDPR law coming into place in May 2018, if your data is already outside of the UK you’ve got to ask yourself what will happen if something goes wrong. For example, TalkTalk was fined £100k after the data records of 21,000 people were exposed to fraudsters in an Indian call centre. As Information Commissioner Elizabeth Denham said “TalkTalk should have known better and they should have put their customers first.” TalkTalk’s subsequent decision to withdraw all customer service operations from India indicates how serious an issue this was for them and their customers.

The point is this – if you take the risk when it comes to your data, particularly that of your customers and it goes wrong then it could have drastic consequences, so ultimately, you’ve got to ask yourself – are you feeling lucky?

If this blog has helped you understand the importance of data sovereignty and you want to explore it in more detail then why not take advantage of our complimentary cloud audit and let us support you on your journey to the cloud…