Location, location, location. Not just the mantra of realtors and would-be buyers – it’s also a concern for data security professionals world-wide. As cloud computing has ramped up across industries, the physical location of stored data has been called into question, alongside concerns stemming from data privacy laws.
Read on to discover how data privacy acts are impacting file sharing.
Data Privacy and Protection Laws
Most data privacy and protection laws, like the GDPR, PIPEDA, and CCPA, to name a few prominent privacy acts, were established to protect the personal information of citizens of certain countries or states. These laws typically limit how organizations collect, store, and use the data of people living within the borders, citizens of those locations (no matter where they live), or both.
Alongside regulating what information can be collected, how long it can be stored, and how individuals can gain access to their data, some data privacy acts also outline where data can be stored or sent to. Occasionally, these laws will require the usage of in-country or in-region data centers for any cloud storage or backup.
Data Transfer Restrictions According to Privacy Acts
In one example, Argentina’s data privacy law requires that personal information may only be shared with countries that have data protections that are similar in strength or stronger.
EU businesses are also limited by the strength of the protection laws of countries to which they want to transfer data. Although the GDPR does not require the storage of personal data within the EU, some transfer destinations are restricted. In the UK, the Information Commissioner's Office (ICO) provides detailed guidance on international data transfers for organizations needed to comply with the GDPR. For instance, data transfers to the US must adhere to the EU-US Privacy Shield Framework.
In Canada, PIPEDA (soon to be replaced by the Consumer Privacy Protection Act, CPPA), impacts how and where various businesses process and store information. PIPEDA allows businesses in the private sector and those that are federally regulated to process and store personal data outside of Canada. The same is not true for public sector businesses, which are limited in how data is stored and accessed outside of the country by data localization laws.
Data Residency vs. Data Sovereignty vs. Data Localization
Data residency, a term often conflated with data localization and data sovereignty, is where a nation or government requires that data is stored in a specific location (typically within the country’s borders). Data sovereignty takes residency a step further, subjecting any data that is physically stored within the country’s borders under its laws, for both protection and punishment.
The third term, data localization, requires that data collected or created within a country’s borders remain there. Some laws allow copies to be transferred, but others prohibit data transfer outside of the country entirely.
These concepts are different sides of the same (three-sided) coin and show how closely data security, location, and exchange are intertwined.
Related Reading: What is Data Security?
Why Data Location Matters
TechTarget cuts to the heart of the matter, saying “Cloud computing, which allows businesses to deliver hosted services over the Internet, can create data residency concerns. With cloud computing, users are often unaware of their data's physical location, as cloud providers store data globally across different data center locations.”
All in all, the location of your data center could matter, and impact how and with whom you share data, but it depends on which data privacy laws your organization is subject to. You may need to store some data permanently within a certain country or adhere to specific security requirements when transferring it across borders. Some data privacy acts outline the appropriate storage systems and locations, and limit where data can be moved to, but cloud computing has thrown a wrench in the system.
Cloud Computing and Sensitive Data
Today’s organizations exchange data at a larger volume and faster pace than ever before. This escalation has ushered in the era of cloud computing, hybrid cloud environments, and data that is more distributed than ever before. Cloud computing, the practice of using external systems rather than buying, owning, and maintaining physical infrastructure, has helped organizations in many industries accelerate quickly and improve processes while saving money.
Cloud computing involves storing data in servers distributed around the world, which introduces complexities into the collection, storage, and distribution or usage process, especially when it comes to compliance with data privacy requirements. Global organizations that operate in multiple countries may be subject to multiple, and potentially competing, data protection rules.
Cloud providers are helping organizations meet these requirements. Microsoft, Google, and Amazon have both opened cloud service centers that help businesses meet data location requirements, including in Canada and Germany.
The Challenge of Cloud Computing & Data Location
Deloitte, in predicting cloud growth back in 2016, pointed out that “organizations that rely on multiple cloud service providers may have little or no control over the movement of their data through different data centers around the world.”
Using the cloud is a fantastic way to take advantage of sophisticated tools, scalable systems, storage, and more, all at lower costs and time and effort from your team. But when providers use data centers in other countries, you’ll need to ensure that your data is protected to standards required in your country.
Cloud Computing and Complying with Data Privacy Laws
Data is the heart of the modern economy, and needs to be able to move free, but safely. Most data privacy laws understand this, which is why many new provisions, agreements, and laws consider business usage. There are some steps you can take to ensure your data processing meets privacy and security requirements:
- Understand how your cloud provider will protect your data
- Outline security and privacy measures in your SLAs, including technical controls like user access roles, encryption standards, or tools like data loss prevention
- Stay aware of where you’re processing data. If you’re transferring personally identifiable information outside of where it was collected or the place of citizenship, ensure that your processes meet the laws to which you are subject
- Put technical, administrative, and managerial controls in place to fully enforce and ensure top down compliance
One of the benefits of complying with data privacy laws is that you’ll have a better understanding of your data, where it lives, and where it goes.
Get Convenience and Security with Hybrid Cloud
Regulations and security requirements may make moving entirely to the cloud infeasible or impractical for many organizations. A hybrid environment, where some data is on-premises in a location you own or control, and other data is in the cloud, is a great option to keep secure backups of sensitive data somewhere secure. It’s less likely to be impacted by server downtime, since most cloud platforms run servers in multiple regions to ensure that if one location becomes unavailable, the data is still secure elsewhere.
Transfer Files Securely, No Matter the Destination
GoAnywhere MFT is a secure file transfer solution that helps organizations comply with a variety of security standards. Through encryption, file transfer monitoring, audit logs, and granular user permissions, you can rest assured that you have a birds-eye view of your data movement, helping meet data privacy requirements around the world.
Gain Control Over Your Data with MFTaaS
MFTaaS, a managed file transfer cloud-based offering hosted by GoAnywhere, gives you ultimate control over your data storage, while giving your team the time and budget to focus on the essentials of secure file transfer. With MFTaaS, you choose the region where data is stored so you can adhere to data residency requirements. Learn how you can secure your file transfers and meet compliance requirements today.