cation of far-reaching laws requiring the protection of data
connected to a country’s citizens – whether that data
resides inside the country’s national borders, or on servers
or storage services elsewhere around the world.
In the days of on-premises computing, data requirements
used to be easy to navigate. Data would be stored in data
centers, and data gravity generally kept it there. Today, in
the cloud, data is stored in different places and accessed
across borders, forcing companies to pay close attention to
how they are managing their data in different locales.
The most publicized and
far-reaching set of data regula-
tions is the European Union’s
General Data Protection Regu-
lation (GDPR). But there are
dozens more – from the China
Cybersecurity Law, to Brazil’s
General Data Privacy Law, to
Japan’s Personal Information
Protection Act, to Chile’s Law
for the Protection of Private
Life. In addition, Europe has
separate privacy laws in 28
countries; the U.S. has more
than a dozen regulations that
apply to cloud-related data
(including HIPAA, FERPA and the USA PATRIOT Act); and
more than two dozen other nations are developing their
own data sovereignty regulations.
Taking Steps to Comply
So, what should companies storing data in the public cloud
do to ensure they are complying with data sovereignty
laws? The answer depends, in part, on whether they are
planning to sign on with one of the large public cloud plat-
forms or with another service provider. The large platform
providers – AWS, Microsoft Azure and Google Cloud Plat-
form – all have robust programs in place to support compli-
ance with data residency requirements. With other cloud
service providers, you need to exercise proper due dili-
gence, as their abilities can be
inconsistent with regard to
supporting data sovereignty
compliance.
Today, in the cloud, data
is stored in different
places and accessed
across borders, forcing
companies to pay close
attention to how they
are managing their data
in different locales.
Couple this with the fact that some nations’ data sover-
eignty laws are difficult to interpret and even harder to keep
up with. The China Cybersecurity Law, for example, requires
companies to follow localization requirements for what the
government calls “important data.” But the definition of
“important data” can be, and has been, interpreted in differ-
ent ways, leading to uncertainty about steps cloud opera-
tors and cloud consumers need to take to operate in the
Chinese market.
68 | THE DOPPLER |
SPRING 2019
If you are considering working
with a service provider other
than the big three, be prepared
to gather answers to a few key
questions. First, you need to
know where a provider’s data
center – or data centers – are
located. Certain countries –
Russia, China and others –
require data to be housed
within their borders. How is the
data being protected in that
environment, both physically and logically? How is encryp-
tion handled? Who has access to the keys? And what sys-
tems does the provider have in place to ensure that the
data does not leave that particular locality? How is data
access monitored and alerted? Companies should under-
stand how they plan to use and share their own data, and
make sure the service provider has systems in place that
answer the above questions. That will determine whether
the service provider can comply with regulations in coun-
tries where your company plans to do business.