3 min read

Why public cloud can be an obstacle to data compliance

When GDPR came into force in 2018, there was something of a scramble to understand all the many requirements of this new data protection law and how to achieve compliance, especially if you outsource your IT to a cloud provider. All this time later, though we may have all matured in our understanding of compliance, there are still a lot of headaches around achieving it. Take, for example, data sovereignty. This is the idea that data is subject to the rules and regulations of the country in which it was collected. No problem, you might think. I collected the data in the UK, we work in the UK. All good. But if you’re storing that data on the public cloud – and that cloud provider’s hardware is not located in the UK – there is a chance you may be unwittingly falling out of compliance.

Ensure your IT infrastructure supports your digital transformation by downloading 'Not All Roads Lead to Cloud'

Why public cloud can be an obstacle to your data compliance Header Image

What is the cost of non-compliance?

The maximum penalty for non-compliance with GDPR is up to 4% of annual turnover. So, if your company makes £5 million in annual turnover, you’ll be paying £200 000 in fines. It’s not insignificant. Perhaps the greater concern, however, is what non-compliance might do to your reputation – which, in the long term, could have far greater repercussions. New customers will do their research, and choose an alternative provider that offers them greater data security. Existing customers and partners may decide they can’t trust you, and move their business elsewhere.

Where is the cloud?

The big cloud providers, such as AWS, Azure and Google, have data centres all over the world. Split into regions (such as Europe) and zones (such as Frankfurt), these physical hubs are spread out so that they not only benefit from being close to their global customer base (providing low latency connections), but also take advantage of lower cost host countries, while also spreading the load on their resources.

Ideally, you as a cloud customer, would also take advantage of these benefits, opting for the regions that give you the best efficiency at the lowest cost. However, as AWS states: ‘If your workload contains data that is bound by local regulations, then selecting the Region that complies with the regulation overrides other evaluation factors’. Basically, compliance trumps all other concerns, simply because the impact of non-compliance (financial and otherwise) is so great.

And it’s not just GDPR. There are other industry-specific data compliance issues to consider, such as the Privacy and Electronic Communications Regulations, the Basel Accords, the Payment Card Industry Data Security Standard, and the Data Security and Protection Requirements for health and care service providers.

If you are storing data that is subject to industry-specific regulations and/or general data protection requirements – either those that govern the UK and EU, or one of the many other data protection regulations in place in other countries and regions – the ability to know and control where your data is stored is a top priority in your choice of cloud provider.

Who chooses where your data is stored?

With some cloud providers, the only way to know where your data is physically stored is to ask. They should be able to tell you (though if the answer is not to your liking, your options are limited: repatriate the data, migrate to another provider, or put up with it).

However, cloud hyperscalers – the Amazon, Azure and Google-sized cloud providers – give you a choice of region and zone when you sign up, so you know where your data will be. This is a great improvement in terms of transparency. However, the onus is on you as the customer to be responsible for that choice – by which I mean, they’re not going to advise you. You need to be aware of the various requirements of your data.

Your data, your responsibility

In order to make the right choice, you’ll need to carry out an audit of your data, its origins and the compliance requirements it is subject to. Armed with this information, you can select the right region for your data, and even separate data and/or workloads into regions where necessary.

The downsides of prioritising compliance

The flip side of this is that, of course, when you prioritise compliance, you can’t also prioritise performance and cost. You may have to accept a trade-off. For example, if you opt for cloud provision in your own region – a logical choice – you might miss out on the chance to be closer to your customers and provide them with a lower-latency connection. Not to mention, your region might be more expensive than others, which threatens the cost-efficiency of your cloud migration.

Alternative options – private cloud, colocation and hybrid IT

The obvious alternative to public cloud is private cloud, but that might not be a good fit for your business either. Luckily you don’t have to put all your eggs in one basket. Hybrid IT enables you take advantage of the many IT storage options available to you, to deliver the best results in terms of compliance, performance and cost. You could store personal data on a private cloud system or your own hardware in colocation. And at the same time, have customer-facing tools on the public cloud in the region that best fits with your customer base. It’s a question of the right platform for the right workload, in the right place.

Though these are complex decisions, it is worth taking the necessary time to develop a cloud strategy that protects data sovereignty and avoids non-compliance. If you want some unbiased advice about what IT solutions could best support your business, we offer the full range of services at 4D, and you can chat to one our experts with no obligation at anytime.

A guide to understanding what belongs in and out of the cloud banner