Call us on 0330 332 7933

Journey to the Cloud: key things you need to know about data sovereignty

Cloud-based services can offer organisations significant value. From a cost, maintenance and deployment standpoint, the cloud can deliver applications and data to help organisations move faster and be more competitive.  However, headaches can start when it comes to data, more specifically, where it’s housed and who is looking after it. Even more so now with the incoming GDPR legislation looming. If this isn’t something you’ve given much thought, we would suggest that you need to – and soon.

We’re not suggesting delaying, let alone cancelling cloud migration efforts, but instead making a closer examination of key considerations at the outset.  In particular: where your data will reside, what’s in the small print, and whether your cloud services provider is transparent.

Increasingly we’re seeing pressure put on companies to make data available for ‘security’ reasons, so it’s important that organisations aren’t storing data in countries where such pressure is being applied perhaps unreasonably. For example, if you use webmail provided by an international service provider, your data is held under the jurisdiction where that provider is based.

While we understand that for security reasons, data might be made available for a particular reason, such as suspected criminal activity, we have also seen recently the US government demanding 1.3M IP addresses of visitors to the anti-Trump protest website disruptj20.org. Whether just visiting such a site could be deemed as ‘criminal activity’ is up for debate, but nevertheless, the alleged ‘disruptive’ aspect of the site gave cause for the US government to go to the ISP and demand visitors’ data.  If that data is made available, then how is it going to be used and what’s the risk that it will leak out?

Essentially, if you’re not sure about whether you want your data to be on servers that are under someone else’s legislation, then it’s critical that you ask your provider how and where they intend to store your data. More importantly, you need to be sure that you trust that they are being transparent when it comes to providing the answer.

When it comes to data and where it’s housed, ownership is everything. If your service provider doesn’t have ownership of where your data is stored, then you seriously need to question this. At Intercity Technology, we have 100% ownership of our data centres and we are strict about where data is being held.  Even if presented with a more convenient way of hosting data we wouldn’t sacrifice what we stand by, but that’s a more difficult promise to make for service providers who are using third parties. You need to work with a service provider that understands your concerns around data and meets your needs, not one that expects you to like it or lump it, meaning that you sacrifice what you really require.

If you think about it like this – if you’re a tenant you haven’t got control, you have to ask permission before you can do anything, but when you’re a homeowner you can do what you like as your property is 100% yours and in your control. Similarly, once you have given your data to a service provider that doesn’t own its data centre you’re separated from the people who are physically hosting it.  You’re relying on your service provider to make sure everything runs smoothly, which should be the case for most of the time, but what if they can’t do this because they have limited control and what if something does go wrong? This is when we come back to the all-important question for your cloud service provider; can you really promise me my data won’t leave the UK?

With the upcoming GDPR law coming into place in May 2018, if your data is already outside of the UK you’ve got to ask yourself what will happen if something goes wrong. For example, TalkTalk was fined £100k after the data records of 21,000 people were exposed to fraudsters in an Indian call centre. As Information Commissioner Elizabeth Denham said “TalkTalk should have known better and they should have put their customers first.” TalkTalk’s subsequent decision to withdraw all customer service operations from India indicates how serious an issue this was for them and their customers.

The point is this – if you take the risk when it comes to your data, particularly that of your customers and it goes wrong then it could have drastic consequences, so ultimately, you’ve got to ask yourself – are you feeling lucky?

If this blog has helped you understand the importance of data sovereignty and you want to explore it in more detail then why not take advantage of our complimentary cloud audit and let us support you on your journey to the cloud…

Up next

We are GDPR ready!

We are pleased to announce that Naome Harrison, our Quality and Assurance Manager, has become a Certified EU General Data Protection Regulation Practitioner! After spending time learning from the experts on how to meet the requirements of the EU GDPR to help us get ready for the impending regulation, we caught up with Naome to find out more about what the course involved and what her new practitioner status means for Intercity Technology…

What did the GDPR Practitioner course and assessment involve?

The GDPR Practitioner course was split into two parts; GDPR Foundation and GDPR Practitioner. The foundation was a one-day course with an exam at the end of the day. The aim of the courses was to provide a comprehensive introduction to GDPR and a practical understanding of the implications and legal requirements. The foundation was a pre-requisite of moving onto the GDPR practitioner course.

The GDPR practitioner course took place over four days with an independent APMG exam at the end of day four. The courses aim was for the candidate to gain knowledge and skills to implement an effective compliance programme and fulfil the role of the Data Protection Officer (DPO) under the GDPR. Under the new EU data protection regulations, the appointment of a Data Protection Officer (DPO) will be mandatory for controllers and processors in the public sector or for companies processing large scale systematic data. The obligations for this new and challenging role will require insight into cyber threats, risks, data breach management, secure design and secure by default principles, privacy compliance and the legal spectrum of the GDPR.

What does this now mean for your role and Intercity Technology?

It is a legal compliance for Intercity Technology to comply with GDPR by the 25th May 2018. Attending the course qualifies me to be a Data Protection Officer (DPO), so I can ensure that as a business we have the correct knowledge to drive the GDPR project and continued compliance forward. The DPO role is compatible with my current role of Quality and Assurance Manager and ensures the business has a DPO representative who doesn’t have a conflict of interest.

What have you learnt?

There is a lot of work to do! On a more serious note, data protection and GDPR is a hot topic on everyone’s lips at the moment and I think Intercity Technology has a good front foot in ensuring compliance due to us having an established IMS (Integrated Management System), which includes ISO27001 – Information Security, ISO20000 – Service Management & ISO9001 – Quality Management and CyberEssentials. We also host the majority of our own data so we have a good grip of where personal data is being stored.

Naome will be talking about how Intercity Technology has approached GDPR, as well as holding a Q&A session at our GDPR event in London on Tuesday 19th September, in conjunction with Juniper and thinkfortytwo.