The issues of data security and sovereignty have become hot topics in recent years as increasing amounts of sensitive, confidential and personal information is stored in the cloud. With these concerns have come revisions to laws in many countries and jurisdictions to keep up with the changing landscape of data privacy.
The trickiest thing to legislate is managing the exchange of information across borders, simultaneously allowing the transfer of data while maintaining the maximum level of security. This requires multi-national agreements in an attempt to get different countries with different laws to comply to a unilateral level of data protection.
However, this can mean that data is not always as well protected as we think. For instance, the Safe Harbour agreement sidesteps legal obstacles to transmitting personal information between the European Union and the United States by setting out “the adequate level of protection for the transfer of data from the [EU] to the United States [that] should be attained if organisations comply with the Safe Harbour privacy principles for the protection of personal data transferred from a [EU] Member State to the United States.” This is separate from the privacy policies of the EU and the US, requiring only adherence to the Safe Harbour privacy principles of notice, choice, onward transfer, security, data integrity, access and enforcement.
Throw in the Patriot Act, Edward Snowden and PRISM and it’s safe to say if someone really wanted to access your information (legally or otherwise) they could, no matter where you store it. The point is that global legislation doesn’t provide any guaranteed cross-border data protection.
The best thing you can do is to mitigate risk by understanding it. For example, know that governments and litigants may find it easier to access your data in foreign territory. Also know that foreign privacy laws may be considerably different to the ones in your own country. What’s more, contracts with foreign data centres may be unfavourable or silent on key terms.
So when it comes to privacy and data security you need to do your research. Ask your data hosting company the important questions, such as:
- Are they audited?
- Are they ISO27001-accredited, which will ensure the highest level of security for your data?
- Who has access to your data?
- Is support staff access to your data audited?
- Can you access these logs easily along with the audits of your own users access to the system?
Carry out further due diligence by understanding the host country’s data legislation. You can find this out by investigating data protection laws in the country that your data may be hosted in, checking first that the country has data protection laws at all, and delving deeper to check who these laws apply to and what access the government has or allows to other countries’ governments.
Once you know what you’re up against, deploy and enforce a robust cloud data location and jurisdiction policy to protect your interests. Make sure you choose a cloud provider that offers hosting in your country of choice, but also make sure you investigate the country in which the provider is based as this can affect the security of your data.
For instance, my company HighQ is a registered UK company with data centres in Europe, US, Channel Islands, and the UAE and Australia. Our customers can choose which jurisdiction their data is held, and being a UK registered company, we can ensure (based on existing legislation) that non-US customer data is protected from US laws.