After spending four long years in the making and two years in transition, the European Union’s “General Data Protection Regulation” (GDPR) will finally be enforced, beginning on 25th May 2018. It will astutely replace the national laws and regulations that are based on the revered 1995 EU Data Protection Directive and spanning across organizations that focus on EU customers from the outside of EU.
Though the GDPR majorly carries forward the ethics and locution of the 1995 directive, it also adds some new dictums with ambiguous after effects. These may include a harsh concept of consent, a provision for data portability and a ‘right to be forgotten.’ Also, it promises hope for conformity on a large scale in Europe, which multinational organizations may embrace, as well as comfort from registration concerns that have continued to exist in many countries.
Though this is a huge step taken by the European Council, after Brexit, of course, the terms of the regulation are already proving to be a huge challenge; twists and turns included. One of the most prominent parts of the law is Data Localization. Data Localization refers to a law wherein a particular customer data is required to remain confined with the borders of a country or a region. Though GDPR significantly focuses on data localization, this law is not entirely new to the world. Before 2018, countries like Germany, Switzerland, The Netherlands, China, Russia, Turkey, Uganda, Indonesia, Tanzania, Kenya and many others passed a similar decree. But the impending GDPR has once again stolen the limelight from them.
Explicitly, GDPR suggests that personal data can only be transmitted to nations outside the European Union only when a satisfactory level of security is guaranteed. If a company has even a small disbelief about a specific destination, the data will fail to travel there. With expenses of dissent so high, many organizations will decide against taking a risk and will play it safe, by making sure their data remains confined within the EU, or perhaps, within the country or region of origin itself. Germany, for example, censors distribution of data across the national border, countries in the EU included, without guaranteed protection walls.
Data localization will vividly affect the multinational companies, this includes U.S. based firms too, who make use of the cloud and are operational in the European markets as also cloud service providers. This is due to the establishments falling into two major categories of GDPR – ‘Data Controllers,’ and ‘Data Processors.’
Data Controllers are agencies, companies or establishments which work alone or in collaboration and actuates the purposes and means of processing personal data. Up to 80 percent of the establishments worldwide, fall into this category.
Data processors are agencies, companies or establishments which process personal data on behalf of a controller. Cloud service providers are included in this section. However, the news doesn’t come as a surprise, that recently, major providers, in order to address to the new requirements, are expanding their infrastructure across Europe.
Although the public cloud bids multiple assets to the enterprise users, the pellucidity or the competence to directly see and discern where the data is being stored and workloads are being handled is often impaired. This is exceedingly tricky from the perspective of a GDPR. This is because organizations present in different parts of the world, that use cloud will need to guarantee that without traveling to another place, certain data stays in the assigned space. If customer data travels outside accredited perimeter to a non-vetted area, the organization, as well as the service provider, will be guilty of infringement.
While enterprise cloud users are cognizant of the conformity risks, this is not discouraging them from embracing the cloud. Thus, for their benefit, they need to maintain greater clarity and transparency in their service providers’ data storage and workload distribution structure, as well as a multi-cloud game plan that allows them to toggle across multiple service providers as needed to warrant conformity. Trust is crucial and hostility to single vendor lock-in will grow, as organizations claim greater flexibility to meet country-specific consent requisite as well as the capability to smoothly switch providers if trust is ever defied.
One thing, though, is for sure, that for enterprise users of cloud, trusted data localization capacities is another demanding precedent in assessing and choosing providers. The hypothesis of data localization and the cloud are examples of GDPR’s specifications that require urgent and precise consideration.