The cloud clock is ticking: it's time to think seriously about data sovereignty

As more aspects of our business and personal lives move online, there is greater concern from individuals, businesses and governments around the protection of the digital information that is held and shared there.

Complications are growing around "data sovereignty" - an umbrella term used to cover anything related to the protection of data, including data privacy and its associated laws and regulations, data encryption, transfer, storage and overall information governance.

Recently, the Court of Justice of the European Union's (CJEU) advocate general expressed the opinion that the 15-year-old Safe Harbour rules governing the sharing of data between the EU and US were "invalid". The CJEU followed a couple of weeks later with its decision and agreed with the advocate general's opinion.

As a result, any company using Safe Harbour will now need to evaluate how it protects personal data, as well as re-evaluate its governance, risk and compliance processes to meet international data transfer requirements.

Furthermore, in September, Microsoft was in court to challenge a demand from the US government that it hand over emails stored at a data centre in Ireland, which were alleged to contain details of narcotic sales.

Both of these examples represent significant milestones in the importance of data's physical location, and strike at the heart of important questions around data privacy. The results will have far-reaching implications for cloud providers and, indeed, any company that stores its data in the cloud - which today is almost every company in the world, whether they're aware of it or not.

Regulating cloud-held data

While many businesses focus on managing the migration of their data storage to the cloud, governments and regulatory bodies across the world are looking at ways of regulating this cloud-held data. As a result, businesses will need to learn a whole new way of doing business.

Many countries are attempting to introduce new legislation on data privacy, or overhaul that which already exists.

The European Union is currently working on implementing the General Data Protection Regulation (GDPR) as a replacement for the EC Data Protection Directive, a change which will impact all global organisations doing business in Europe.

Set to be finalised by the end of this year, violations of the GDPR could result in billions of dollars' worth of fines for some of the world's highest profile companies. With this in mind, businesses around the world should start considering the working practices of their cloud providers if they are to avoid such penalties.

Putting measures in place

Unless certain provisions are in place or have been met, data is not allowed to leave the European Economic Area (EEA), which includes countries within the EU as well as Iceland, Norway and Lichtenstein.

Information governance frameworks must be in place to ensure that any contractors employed to transfer, store or process information are complying with data privacy legislation.

And not only is it important that every cloud provider has measures in place to protect personal data, but organisations need to understand how their data will be secured.

Serious considerations

Beyond understanding regulations, businesses should give serious consideration to physical location, technology, and governance when developing a cloud strategy to protect their data.

Physical location is important for those businesses and countries that insist on a degree of data residency, where some critical information is kept in-country or behind corporate firewalls. In the online world, however, where data is under constant threat from cyber-attacks or accidental leaks, it's important to assess what technology is able to protect that data.

Encryption, for example, must travel with a file wherever it goes, whether that data is stored on a company iPad, a personal laptop or a corporate server, meaning that only those authorised to view that file will be able to do so.

Finally, it's important that companies that house personal data ensure their internal policies and procedures offer a safe haven for this information. Given how rapidly legislation is changing, however, the concept of data governance is currently something of a moving target.

What is clear though is that, as businesses continue to move to the cloud, it's important that they focus on the right areas of keeping their data secure, ensuring that they work with the right partners.

Those that don't, risk getting caught out as changing regulatory powers catch up with the online world in which individuals, businesses and governments increasingly live.

Deema Freij is global privacy office at Intralinks