When the topic of the GDPR (General Data Protection) was hotting up a couple of years back, one question which would raise its head consistently was the compatibility of the cloud with elements of the regulation which restrict the geographical location of data processing.
Even with the GDPR currently in effect and enforced, there is still much confusion, particularly in an age where the march to toward cloud adoption appears to be unrelenting.
GDPR Data Sovereignty Requirements
The GDPR applies in any circumstance where the personal data of natural persons located in the EU (European Union) or EEA (European Economic Area) is collected or processed, irrespective of location.
In essence, if you use a cloud provider based in a country outside of the EU or EEA to process data subject personal data, then that cloud provider is subject to the requirements of the GDPR.
This movement of personal data to the cloud is considered a transfer between you and the cloud provider. Where this becomes a point of contention is that the GDPR has specific conditions for the transfer of personal data outside of EU/EEA member states.
Chapter 5 of the GDPR lists two conditions whereby data transfers outside of the EU/EEA are permitted:
- Where the European Commission has deemed a third-country to have adequate data protection laws. This list currently totals twelve and includes Israel, New Zealand, Switzerland, Canada, Andorra, Argentina and the US (Privacy Shield accredited organisations only).
- Where an adequacy decision does not exist. It is up to the data controller and processor to come to an agreement in safeguarding the rights and remedies of data subjects, in equal measure to the regulation itself.
GDPR and the Cloud
For a small business who do not trade outside of the member states, it is easy to believe their exposure to GDPR data transfer rules is non-existent. However, it is the small and medium sized businesses and organisations who are most exposed by their rampant up-take in cloud services.
Cloud providers are often measured by their resiliency, otherwise known as up-time statistics. This is the guarantee which is placed on their cloud service being available to you. There are a number of ways to increase cloud resiliency, including placing multiple nodes across various geographical regions.
Without data sovereignty requirements, this type of solution is ideal as it escapes the impact of a loss of service in one region by replacing it with another.
However, with the GDPR, this can become troublesome. Particularly when cloud service providers choose to host their services in cheaper countries not favoured by the rulings of the European Commission.
Progress MOVEit and Cloud Data Sovereignty
This doesn't mean to say that the GDPR is barrier to cloud usage and adoption, despite what a lot of people have come to think. Rather, there are a number of factors which should be taken into account.
As an example, we have worked with well-known managed file transfer provider Progress for a number of years. At the start of 2018, they launched a cloud version of their popular MOVEit Transfer solution aimed at cloud-focussed organisations, that want to share files securely with third-parties.
Understanding that a core requirement would be EU/EEA data sovereignty. The developed a service which is as painless, from as GDPR perspective as possible.
- Personal data is stored in Microsoft Azure data centres, restricted to European tenants only.
- Personal data is never shared with the US version of the same solution.
- High availability stays within the same region, as does backups.
- Progress maintains an office within the European Union for all communication and queries with customers.
Of course, this list is not exclusive to progress solutions and merely serves as an example of how cloud solutions can be adopted safely and legally by EU/EEA resident organisations.
Where possible, always consult with the cloud provider in question.