TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

Cross-Border Data Restrictions and Your Cloud Strategy

Companies with customers, supply chains, partners, and offices in multiple countries must understand how cross-border data restrictions affect cloud computing policy.

• By William McKnight
• March 17, 2017

Companies with customers, supply chains, partners, and offices in multiple countries must understand the cross-border data restrictions of each country they are involved with.

A dizzying number of country-by-country (or country-union-by-country-union) data laws and standards have appeared since 2015, when an EU court threw out the idea that U.S. companies could self-certify their adherence to EU data protection standards. World leaders are still scrambling to understand the complications that the cloud introduces to the global nature of business today.

Multiple Regulations Add to Confusion

Without widespread standards, each country has adopted a profile of regulations. These are based on the perception of how internal data residency affects jobs and protection of citizens' data. The U.S., for example, does not have a nationwide data protection law, but it does impose rights upon non-U.S. data in-country through the Patriot Act.

Government can be an imposing extra participant in the relationship between company and cloud provider, and its regulations can put a company in a no-win situation. For example, a government might request data from a company, but per the agreement with the cloud provider, a government may be seen as a third-party to which user data cannot be provided without individual consent.

Some countries require some data captured by public institutions to be localized. Others require citizen consent before their personal data can leave the country. Some countries extend this to all data. Some countries allow a free flow of data as long as it does not contain personally identifiable information (PII).

Do not assume every country's approach is the same as yours. To protect yourself, forbid your cloud vendor from transferring data from one data center to another without your consent, even upon an "act of God."

Creating a Global Cloud Strategy

Despite this active ecosystem of laws and interpretations, the cloud remains a viable strategy. Part of preparing for the cloud is to do a country-by-country legal assessment for all countries in your company's ecosystem. A workable strategy always exists.

An important part of this strategy is to make sure all data-hosting policies have a strong location/jurisdiction component to them as well as a strong acknowledgement for global businesses that cloud services will be hybridized.

For some, the policy will dictate limiting analysis to data on a country basis. Frequent shoppers may need to be made aware that their purchases accrue by country or region or that some country purchases are excluded.

For many, multiple clouds will be necessary.

Understanding Restrictions

Although these laws tend to hurt rather than help a country's companies, you still need to understand and monitor the cross-border data restrictions when moving to the cloud. Understanding the location of your data is imperative.

Ultimately, these regulations could limit what you actually can do as a business, but they should not limit your smart move to the cloud. While countries and global corporations argue the restrictions out on the grand stage, your approach to data should deliver in the cloud as you adhere to these limitations.