GRC Tuesdays: GDPR vs. Data Localisation vs. Public Cloud
The old joke goes that “the cloud is just someone else’s computer.” But what if you don’t know where that computer is located? Organizations using or thinking of using the public cloud have a dilemma. How do they maximise the benefits of using the public cloud yet comply with GDPR and other global data protection laws that require data localisation? How do they square the GDPR, data localisation, and public cloud circle?
GDPR vs. Data Localisation
Data localisation laws restrict the storage of personal data to within the borders of a particular country or region. A frequently misunderstood fact about GDPR is that personal data must remain within the European Union (EU). This is not the case.
Specifically, personal data can be moved outside the EU but only if the jurisdiction in which the recipient is located provides an adequate level of data protection. However, outside the EU, multiple global data localisation laws do exist including laws in Canada, China, Australia, and Russia.
- This means that multinational organizations operating both in the EU and elsewhere may have to be simultaneously compliant to both GDPR and any data localisation laws specific to the countries in which they do business.
Data Localisation vs. Public Cloud
The distributed nature of the public cloud is one of its key strengths, delivering lower latency, higher availability, improved resiliency, lower cost, and better performance. Data localisation laws that restrict where data can be stored and where cloud services can be used can mitigate many of these benefits.
Strict data localisation laws can restrict data protection in the public cloud. For example, if a particular region suffers a network outage or a DOS attack, it means that all data in that region could be lost, compromised, or its access restricted. In such scenarios, restricting the storage of business data to a specific country or region may inhibit disaster recovery efforts.
- The challenge for organizations is to ensure that they meet local data protection regulations, where they exist, yet retain the flexibility to fully use their public cloud infrastructure in regions where strict data localisation rules don’t apply.
Public Cloud vs. GDPR
Public clouds deliver significant business benefits including scalability, elasticity, improved performance, and lower cost. However, when it comes to GDPR compliance the public cloud lacks two key features: transparency and control.
A public cloud user will struggle to comply with GDPR if they don’t know where their data is being stored, moved to, or processed. In addition, an organization may be confident that some non-EU jurisdictions have adequate levels of data protection, but how do they ensure that their cloud data is only stored and processed there rather than in more risky locations?
- In order to support GDPR compliance in the public cloud, users need to know in near real time where their data is being stored, moved, and processed. They need to be able to configure and enforce rules that ensure their business data is only moved to, processed, and stored in regions the European Commission has recognised as having adequate levels of data protection.
Choosing the Flexible Approach to Data Protection in the Cloud
Attempting to comply with both GDPR and other global data localisation laws by locking all of your cloud data within a specific region, is a crude, inflexible solution that risks reducing many of the business benefits of moving to the public cloud. Instead, organizations need a more flexible approach to data protection in the public cloud.
Designed in partnership with public cloud providers, SAP Data Custodian addresses the need for improved data transparency and control in the public cloud. By providing near real-time visualisation of where data is being stored, moved, and processed in the public cloud, organizations can easily understand if they are at risk of breaching GDPR and other data localisation laws.
In addition, controls enable users to configure policies that can be used to enforce data protection and compliance simultaneously within the EU as well as elsewhere. If required, users can configure policies that go beyond local data protection requirements and rapidly adapt policies in response to changing global data protection legislation.
SAP Data Custodian: A Perfect Balance
By delivering improved data transparency and control of public cloud data, SAP Data Custodian can help customers square the GDPR, data localisation, and public cloud circle, balancing the requirements of data protection legal compliance with effective use of the public cloud.
Visit our SAP product page for more information on SAP Data Custodian.
NOTE: The information contained in this blog represents the author’s personal opinion and is for general guidance only and provided on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto.