Cross-Border Data Restrictions and Your Cloud Strategy
Companies with customers, supply chains, partners, and offices in multiple countries must understand the cross-border data restrictions of each country they are involved with.
A dizzying number of country-by-country (or country-union-by-country-union) data laws and standards have appeared since 2015, when an EU court threw out the idea that U.S. companies could self-certify their adherence to EU data protection standards. World leaders are still scrambling to understand the complications that the cloud introduces to the global nature of business today.
Multiple Regulations Add to Confusion
Without widespread standards, each country has adopted a profile of regulations. These are based on the perception of how internal data residency affects jobs and protection of citizens' data. The U.S., for example, does not have a nationwide data protection law, but it does impose rights upon non-U.S. data in-country through the Patriot Act.
Government can be an imposing extra participant in the relationship between company and cloud provider, and its regulations can put a company in a no-win situation. For example, a government might request data from a company, but per the agreement with the cloud provider, a government may be seen as a third-party to which user data cannot be provided without individual consent.
Some countries require some data captured by public institutions to be localized. Others require citizen consent before their personal data can leave the country. Some countries extend this to all data. Some countries allow a free flow of data as long as it does not contain personally identifiable information (PII).
Do not assume every country's approach is the same as yours. To protect yourself, forbid your cloud vendor from transferring data from one data center to another without your consent, even upon an "act of God."
Creating a Global Cloud Strategy
Despite this active ecosystem of laws and interpretations, the cloud remains a viable strategy. Part of preparing for the cloud is to do a country-by-country legal assessment for all countries in your company's ecosystem. A workable strategy always exists.
An important part of this strategy is to make sure all data-hosting policies have a strong location/jurisdiction component to them as well as a strong acknowledgement for global businesses that cloud services will be hybridized.
For some, the policy will dictate limiting analysis to data on a country basis. Frequent shoppers may need to be made aware that their purchases accrue by country or region or that some country purchases are excluded.
For many, multiple clouds will be necessary.
Although these laws tend to hurt rather than help a country's companies, you still need to understand and monitor the cross-border data restrictions when moving to the cloud. Understanding the location of your data is imperative.
Ultimately, these regulations could limit what you actually can do as a business, but they should not limit your smart move to the cloud. While countries and global corporations argue the restrictions out on the grand stage, your approach to data should deliver in the cloud as you adhere to these limitations.
McKnight Consulting Group is led by William McKnight. He serves as strategist, lead enterprise information architect, and program manager for sites worldwide utilizing the disciplines of data warehousing, master data management, business intelligence, and big data. Many of his clients have gone public with their success stories. McKnight has published hundreds of articles and white papers and given hundreds of international keynotes and public seminars. His teams’ implementations from both IT and consultant positions have won awards for best practices. William is a former IT VP of a Fortune 50 company and a former engineer of DB2 at IBM, and holds an MBA. He is author of the book Information Management: Strategies for Gaining a Competitive Advantage with Data.