The disbanding of the Safe Harbour agreement and subsequent introduction of the Privacy Shield, the General Data Protection Regulation (GDPR) and the UK’s decision to leave the European Union have pushed the issue of data sovereignty into focus.
But in reality, this is just the tip of the iceberg for a process that is growing in complexity.
In the past, the issue of data sovereignty barely registered. Data was held in local data centres subject to the relevant laws and regulations of that country.
However, the rapid growth of cloud technology means data can be stored anywhere, making compliance regulations hard to adhere to.
Freedom of movement for data
The advent of the cloud essentially introduced “freedom of movement” to data, allowing organisations to store information in data centres in other countries.
However, as with people, freedom of movement requires that countries agree to regulations and laws that ensure data stored in another territory is subject to the same standards people and businesses enjoy in their own country.
Hence the adoption of the GDPR by the EU (and the Privacy Shield framework agreed between the EU and the US government).
GDPR seeks to ensure data stored in data centres in EU countries is subject to common compliance regulations.
Brexit has the potential to disrupt this agreed consensus and make life difficult for cloud providers to service EU customers from data centres based in the UK.
Withdrawal from the EU (and GDPR), creates a potential minefield for UK and international companies moving data in and out of Europe.
UK data centres for UK businesses
The obstacles are not deterring major cloud providers from investing in the UK.
Microsoft recently launched Azure UK data centres and Amazon Web Services (AWS), which has had a presence in Ireland since 2007, is expected to add to its UKI data centres with a UK base launching imminently.
AWS UK and Ireland managing director, Gavin Jackson, explained his intentions to attendees at the recent AWS Summit in London: “We will continue our path to launch a UK region at the end of this year or at the beginning of next year. Our message to the people in this room is to keep calm and carry on innovating with AWS.”
But despite his reassuring words, things have changed.
Pre-Brexit UK-based data centres would have been able to store information from organisations in other EU countries and share a common regulatory framework.
Post-Brexit, unless the UK adopts GDPR, that is unlikely to be the case.
It’s quite possible that cloud providers will need to build UK data centres to store information locally because data will no longer have freedom of movement.
This would put the UK in the same league as non-EU countries such as Russia, where if businesses want to sell online in the Russian market they need to have infrastructure inside Russia.
Similarly, in China, there are a number of regulations that need to be navigated, including strict limitations on the vendors a company can buy bandwidth from.
Data sovereignty is physical
Discussions concerning data regulation in a post-Brexit landscape have merely served to reinforce the point that, in many instances, data sovereignty is still intrinsically linked to the physical location of the data.
Cloud computing gave rise to the illusion that data could be unshackled from the physical bonds of geography, but data is still subject to the laws and regulations of the country in which it is created.
In the context of Brexit, there will be one more nation on the list of territories where cloud providers will need to have data centres in-country (and there will be one less European nation covered by GDPR – and the Privacy Shield).
The UK’s vote for political sovereignty has not only fractured the post-war European consensus, it has also thrown a spanner in the works of common shared data regulations.
The cloud is still local
As a result, businesses considering using cloud providers need to have a much clearer view of where their data is stored.
Providers that have chosen to locate data centres in some countries because of lower business costs will struggle to guarantee data can be held to the same standards as in the country where it is created.
For most organisations, data compliance and regulatory concerns will require that cloud providers have local infrastructure to store and protect their data.
Put simply, data sovereignty regulations will ensure that cloud service providers are unable to do business in many nations if they do not use data centres located in those countries.
The onus will be on cloud providers to reassure customers that they can store their data in the correct location and conform to the defined regulatory framework.
>See also: Change is coming: the GDPR storm
Cloud providers with a global footprint will be in a strong position to provide that reassurance.
This is because as cloud provision is their sole business, they will have a much stronger focus on local data compliance and regulatory requirements for the countries where they do business than most internal IT departments.
Choosing the right cloud provider can help companies to save time and resources trying to grapple with data sovereignty and compliance issues and concentrate on running the business instead.
When it comes to choosing a cloud provider, companies should be aware that despite everything, sovereignty still imposes limitations, data in the cloud is still earthbound.
Sourced by Tony Connor, head of EMEA marketing at Datapipe