The Doppler Quarterly Spring 2019 - Page 70

cation of far-reaching laws requiring the protection of data connected to a country’s citizens – whether that data resides inside the country’s national borders, or on servers or storage services elsewhere around the world. In the days of on-premises computing, data requirements used to be easy to navigate. Data would be stored in data centers, and data gravity generally kept it there. Today, in the cloud, data is stored in different places and accessed across borders, forcing companies to pay close attention to how they are managing their data in different locales. The most publicized and far-reaching set of data regula- tions is the European Union’s General Data Protection Regu- lation (GDPR). But there are dozens more – from the China Cybersecurity Law, to Brazil’s General Data Privacy Law, to Japan’s Personal Information Protection Act, to Chile’s Law for the Protection of Private Life. In addition, Europe has separate privacy laws in 28 countries; the U.S. has more than a dozen regulations that apply to cloud-related data (including HIPAA, FERPA and the USA PATRIOT Act); and more than two dozen other nations are developing their own data sovereignty regulations. Taking Steps to Comply So, what should companies storing data in the public cloud do to ensure they are complying with data sovereignty laws? The answer depends, in part, on whether they are planning to sign on with one of the large public cloud plat- forms or with another service provider. The large platform providers – AWS, Microsoft Azure and Google Cloud Plat- form – all have robust programs in place to support compli- ance with data residency requirements. With other cloud service providers, you need to exercise proper due dili- gence, as their abilities can be inconsistent with regard to supporting data sovereignty compliance. Today, in the cloud, data is stored in different places and accessed across borders, forcing companies to pay close attention to how they are managing their data in different locales. Couple this with the fact that some nations’ data sover- eignty laws are difficult to interpret and even harder to keep up with. The China Cybersecurity Law, for example, requires companies to follow localization requirements for what the government calls “important data.” But the definition of “important data” can be, and has been, interpreted in differ- ent ways, leading to uncertainty about steps cloud opera- tors and cloud consumers need to take to operate in the Chinese market. 68 | THE DOPPLER | SPRING 2019 If you are considering working with a service provider other than the big three, be prepared to gather answers to a few key questions. First, you need to know where a provider’s data center – or data centers – are located. Certain countries – Russia, China and others – require data to be housed within their borders. How is the data being protected in that environment, both physically and logically? How is encryp- tion handled? Who has access to the keys? And what sys- tems does the provider have in place to ensure that the data does not leave that particular locality? How is data access monitored and alerted? Companies should under- stand how they plan to use and share their own data, and make sure the service provider has systems in place that answer the above questions. That will determine whether the service provider can comply with regulations in coun- tries where your company plans to do business.