Business use of the cloud is booming, with companies spending more than ever on developing existing cloud projects while record numbers of new entrants take their first steps into the cloud journey.
It’s a trend that has been accelerated by the COVID-19 pandemic, with analyst Gartner predicting that global spending on public cloud services will grow 23.1% in 2021 to $332.3 billion.
In the report, Sid Nag, research VP at Gartner, said the pandemic has removed any reluctance to move mission-critical workloads from on-premises to the cloud. “Emerging technologies such as containerisation, virtualisation and edge computing are becoming more mainstream and driving additional cloud spending. Simply put, the pandemic served as a multiplier for CIOs’ interest in the cloud.”
Data protection complexity and compliance challenges
However, one of the most important issues to consider before adopting the cloud is ensuring compliance with the growing number of data protection and sovereignty laws. For example, Europe’s General Data Protection Regulation (GDPR) was introduced in 2018 and is designed to keep information collected about EU citizens safe regardless of where in the world it is stored.
In the US, the legal situation is far more complex because although there are proposals for a federal data law covering all Americans, different states are at differing stages of creating and passing their own data laws, such as the strict California Consumer Privacy Act, which came into effect in January 2020.
A recent article in The Drum highlights this confusion, saying: “With existing legislation and so many proposed bills in motion, it can be difficult to parse it all and understand how various bills might affect a company’s right to collect, store and sell consumer data. There is no simple guide to navigation. It’s up to individual businesses to do their due diligence to understand which laws they are subject to and to comply accordingly.”
Falling foul of data sovereignty laws can result in heavy fines and loss of customer confidence. In the first two years following the introduction of GDPR, the EU imposed fines of more than €114m for infringements and the maximum penalty can be as much as 4% of a company’s annual revenue.
This accelerated push into cloud deployment is causing a “throbbing, unrelenting headache for businesses looking to operate and comply with legislation across borders,” according to Tech Radar. The challenge is that many of these laws are not compatible and, in some cases, they actually contradict each other.
“It’s very easy to get tangled in a web of data protection infringements. In some countries, like the US, this could well end in a million-dollar lawsuit,” says the article.
The US Clarifying Lawful Overseas Use of Data (Cloud) Act, enacted in 2018, also allows federal law enforcement to compel US-based technology companies to provide requested data stored on servers, whether stored in the US or any other country.
With these new data laws, companies remain unsure whether the data they process in the cloud may or may not be accessed by US law enforcement agencies. This can be a barrier to cloud adoption, with many turning to local providers or hosting data internally rather than moving data to an unknown location in the cloud.
Tackling cloud data sovereignty and security challenges
These challenges need not be a barrier to cloud adoption. But full transparency regarding data location and the associated regulations are vital factors when it comes to retaining control of your data in the cloud.
It is worth noting that OVHcloud is the only European cloud provider listed among the major cloud vendors in analyst IDC’s latest worldwide public cloud infrastructure MarketScape report.
Our advice here at OVHcloud is to ask these key questions of your cloud service provider:
- Where is my data stored?
- What laws apply to my data and who could access it?
- Does my cloud provider follow best practices in terms of security & data protection?
Some cloud service providers do not communicate to their clients the precise location where their data is stored beyond naming a geographical region or zone. Look for cloud providers that show more transparency and share detailed information with clients about the precise location of datacentres, perhaps even down to the exact room and server where the data is stored.
Also check the level of security offered by your cloud provider to confirm that it provides industry standard compliance such as ISO/IEC 27001, AICPA SOC II Type 2 and ISO/IEC 27701 certification for data privacy. Check-out your cloud provider Information System Security Policy documentation (ISSP). Everything should be reported there.
One company that successfully overcame this challenge is Global Data Sentinel (GDS), which has end-users around the world subject to strict compliance requirements due to local laws regarding the handling, storage and transmission of sensitive data.
While GDS had investigated a number of well-established cloud providers, it became clear that they simply could not offer the level of flexibility – in terms of hardware, location and configuration – their sophisticated projects required. Instead, OVHcloud’s comprehensive range of dedicated servers and global network of 31 first-class datacentres proved the ideal fit for GDS.
Protecting your organisation’s data is an increasingly complex task. When choosing a cloud provider, organisations should satisfy themselves that the choice of hardware, location of datacentres and connectivity combine to ensure their data is safe and compliant with any relevant legal obligations.
Philip has been working with startups for the last 20 years within the VC, technology transfer and business incubation industries. He has accreditation as a mentor and business coach and currently leads the OVHcloud Startup Program in UK, Ireland and Northern Europe. OVHcloud is a leading European hyperscaler and pure-play cloud provider.