This article is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters mentioned in this article.
As the use of cloud services continues to rise concerns also grow as to where the service provider is storing the associated data.
Recently we received this question from a member: “I make use of a cloud service provider, a well know on-line application. How can I determine where my data is stored?”
Knowing where a cloud service provider stores your data could determine if you choose to use the service or not.
It is not always an easy task to find an answer to this apparently simple question. However below are a few suggestions that may help.The first is why not simply ask the vendor. This could be done via technical support or the pre-sales function either
The first is why not simply ask the vendor. This could be done via technical support or the pre-sales function either on-line or on the telephone. Most service providers should be able to answer this question quickly and easily. It is in the interests of the service provider to be transparent about where data is stored.
The storage location of data is often included in privacy polices. Links to these statements are often displayed on the front page of company websites.
You could even ask your favourite search engine. For example “where is [service/application] data stored?” As this question has almost certainly been asked before then the resulting answer and links can prove helpful.
An associated question to the first one could be: should I care where my data is stored?
A few organisations explicitly state where data can be stored; NHS England being one. One of the key attributes of a cloud service is that it is shared by many customers. The result is that not every country will have a data centre in each territory in which the service is provided. This means that for some services the data could be stored outside of the country in which you operate.
Also it is possible that your organisation provides services to clients outside your principle operating location.
The General Data Protection Regulation (GDPR) will be introduced in May 2018, replacing the existing Data Protection Act (DPA). (For more information see icaew.com/gdpr) The EU expects any organisation that processes data belonging to EU residents to do so to an equivalent level of data protection as the GDPR. The UK will be incorporating the GDPR into a new Data Protection Bill shortly.
One consideration is to establish if the data centre that hosts your client data is located in a territory that conforms to the GDPR, or plans to do so in the future.
The reality is that if your data is stored in the EU then you are assured compliance with an equivalent regulatory regime. Additionally, the EU has defined a number of countries to have sufficiently (equivalent) robust data protection frameworks. You can find a list here; which includes the USA.
The protection of data stored in the US is assured by the EU-USA Privacy Shield agreement. However the legitimacy of this, agreement continues to be challenged by privacy campaigners. For more information on Privacy Shield see here.
Naturally cloud service providers are aware of all of these considerations. As a result, they choose to locate their data centres in locations that comply with the applicable laws and regulations.
Ultimately the decision to pick one cloud vendor over another will be risk based decision. The size, strength, market reputation, location of any service provider are all factors that will be part of that risk based assessment.