Data Sovereignty is set to become a major issue both for companies looking to provide cloud services and those organisations considering moving their applications to the cloud.
When you contract with a cloud computing provider do you stipulate where your data can and cannot be? With the global purveyors of cloud solutions your data travels over the internet to and from one or more externally managed data centres. It may be in, or processed by servers in multiple locations around the world.
A variety of legal issues can arise when data resides in a cloud provider’s data centre in a different country than the one in which either the customer or the customer’s clients reside. Different countries, and in some cases in the US different states, have different laws applying to the data.
It was recently revealed that US based cloud providers may have to comply to the Patriot Act requests for data that’s located in a provider’s European data centres, even though this conflicts with the EU’s 1995 Data Protection Directive.
In response to that the EU announced that it will propose reforms to the EU directive in 2012.
The question: “Which law applies to my organization’s data in the cloud: The law where I’m located, the law where my data’s located, or the law where the data subject is located?”
As yet there is yet no international agreement on the answer.
At M7 we discuss the issue with our customers and software vendors before we propose a cloud solution.
Many of our UK customers want their data hosted and backed up in the UK and only in the UK. Pressure or directives from government, auditors or their supply chain may dictate this. Some International customers may want a public cloud solution using cloud technologies to provide application solutions where the data itself is not sensitive to location. They may already hold it in several countries within their own data centres.
More common now are the hybrid solutions where some data is held in the UK and other data is held in a public cloud. With public cloud solutions often being procurred by line of business executives, management and security within this environment become key issues along with a disaster recovery plan that is appropriate for this new computing model.
