One of the impacts of GDPR is the issue of data sovereignty – that data is subject to the rules and regulations of its point of origin. Where previously you would have been fine to store UK customer data anywhere – perhaps getting a better deal on cloud pricing as a result – you now need to be wary of how and where data is processed and stored. This is important because vast hyperscale cloud providers like Microsoft Azure operate on a global scale. They have data centres on every continent, and as a customer your data could be in any one of them. If you are not careful, you could fall out of compliance and not even know it.
Of course, this is unlikely to happen to most. But there are some Azure customers who might have begun their relationship with Microsoft before GDPR was introduced, and established a cloud strategy before the new data protection requirements were fully known and understood. In other cases, customers may have gravitated towards Azure because they are existing users of Microsoft Windows and Office products, and believe that using Azure is a natural next step. The concern in these cases is that decisions have been made based on what is easy, rather than on what offers the best fit. Such customers may find they have prioritised ease over performance and compliance – to their detriment.
A (recent) history lesson
Of all the cloud hyperscalers, Azure probably has the most notable relationship with data sovereignty. From 2013 to 2018, Microsoft was embroiled in a lengthy legal dispute with the US government over some emails wanted in connection with a federal investigation into drug trafficking. The issue at stake was that the emails were stored in a data centre in Dublin, far outside of US jurisdiction. But while the lawyers were going back and forth, cloud providers everywhere were holding their breath. If Microsoft had lost the case, it would likely have meant the mass departure of non-US businesses from US cloud providers, as well as broader implications for transnational retail. Fortunately, the US government introduced a new law (the CLOUD Act) and the whole thing kind of fizzled out, although it’s worth noting that the CLOUD Act does permit the US government to compel US-based technology companies to hand over data, wherever that data is held.
Choosing the right region
All of this is to say that Azure has experience with the importance of data sovereignty and it has added specific policies to enable you to choose where your data is stored. The infrastructure is divided into geographies, regions and availability zones.
- Geographies – a country or set of countries, such as Canada, Asia Pacific or Europe.
- Region – a selectable scope for deployment location, e.g. Central US, Sweden Central or Japan East.
- Availability zones – unique physical locations (i.e. data centres) within Azure regions.
By selecting your preferred regions, you can take control of your data, ensuring it stays within the regulatory bounds needed to ensure your compliance. For example, the UK has two regions – UK North and UK South. As the entire EU is covered by GDPR (and, post-Brexit, the UK elected to keep the same framework), you could also select any of the European regions – so long as the data you’re handling is permitted to leave the country.
Grounded in the firm Microsoft belief in and commitment to the principle that our customers own their data and have a right to control it, Azure is built with the tools and protections customers need to help address their data residency and data sovereignty concerns."
These tools include Azure Policy’s Allowed Locations tool (used to select which regions you wish to use) and Azure Blueprints, which can be used to help manage data residency for specific compliance needs, e.g. for heavily regulated industries like healthcare.
While the level of control and transparency is very good, there are exceptions to the rules you create within certain tools and applications. When planning your cloud deployment strategy, it is important to take note of these to ensure – again – that you don’t run the risk of non-compliance.
Cost implications of data compliance and non-compliance
Failing to comply with data protection regulations carries a high penalty. With GDPR, the financial cost of non-compliance is a maximum of 4% of annual turnover. That’s a high price to pay, however you look at it. But worse still is the reputational damage that is a natural consequence of failing to protect customer data. Losing customers’ trust could cost you your entire business. Clearly, it’s worth prioritising.
Meanwhile, complying with data protection regulations can also be costly. In particular, having to choose regions based on compliance means you can’t choose based on which region offers the best price. Microsoft says: ‘(The) cost of an Azure service can vary between locations based on demand and local infrastructure costs’. They also point out that specialist high-security cloud regions come at a higher cost. Make sure when you are pricing your cloud solution, you do it based on the regions you intend to use.
Compliance by other means
Of course, Azure is not the only cloud provider out there offering the ability to choose from a multitude of regions. Neither is public cloud the only option for high-performance, low-latency data storage and processing. Many companies are making the most of the flexibility offered by hybrid IT to solve all their challenges: performance, cost and compliance.
Using a mix of public and private cloud and colocation, you can optimise control over all your workloads and your budgets, while ensuring you’re always on top of data sovereignty and compliance requirements. If you do it right, it’s a win-win-win for you and your customers. It’s definitely worth being strategic about your choices. To have an expectation-free chat with one of our experts, get in touch.