The GDPR is having a growing impact on companies’ data strategies. Even large US groups are not immune to its effects. Things have now got to the stage where the US is even talking about implementing its own country-wide data protection regulation. So why is that? The main reason that data protection officers are in such high demand by HR specialists is that companies must know exactly where their data is at all times in order to comply with the GDPR. This is not unproblematic in this era of extensive cloud usage.
The GDPR, along with country-specific rules such as those in Switzerland, is now making it essential for companies to store their data in their own jurisdiction. So it’s no surprise that more and more international service providers give customers a choice of countries in which they can store their data. Companies have various preferences on this front, depending on how stringent their security requirements are and how sensitive the data is.
Out: data storage in the global cloud
Consumer cloud storage services like Dropbox, which don’t specify where they store data, are clearly not an option for companies with sensitive or personal data. Having said that, a sort of “shadow IT” continues to exist in many companies with employees quietly using various unauthorised systems like Dropbox. However, the stricter rules that have come into effect with the GDPR have prompted an increasing number of IT departments to shut the door on such practices. If they don’t, they’re in danger of letting data leave the controlled environment of the company network and running the risk of violating current law.
In: data storage in your own country – or in the EU
Since the GDPR has come into effect, the EU and its member states have the most stringent data protection law in the world – even though there may be the odd exemption in individual countries. Preferences for storing data in the EU or in the home country vary from company to company. But in general, the more sensitive the data, the more likely it is that a company will want to keep it in its own country.
In order to fulfil the requirement for secure and traceable IT management, companies should choose cloud providers that have all the relevant certifications. These include ISO 27001 together with 27018 (the data protection extension) as well as certifications specifically for data protection, such as the Trusted Cloud Data Protection Profile Version 1.0.
Another important certification is ISAE 3402, which provides a set of indicators for financial services firms to verify the technical and organisational measures they have put in place. It ensures compliance with all requirements. These include country-specific rules such as those formulated by FINMA, the Swiss Financial Market Supervisory Authority.
Brainloop: data storage in six countries
For many years now, Brainloop has known about and understood companies’ need to store their confidential data in their own country or in their own datacentre. Our solutions are designed to meet these requirements and are as yet unmatched. With our multiple local cloud installations, we offer a major differentiator compared to competitors – with separate platforms in the UK, France, Germany, Austria, Switzerland and Luxemburg.
Our customers’ data is stored in high-security datacentres, which are complemented in the same country by a second datacentre as a backup. This is another area in which Brainloop leads, as the systems architectures of some other providers mean that the data does actually leave the country if there is a disaster recovery incident.
Our contractual agreements are important because they ensure you have control at all times over the storage location of your company’s data – also from a legal point of view. Our contracts include agreements for subcontracted data processing services and clearly regulate data storage. As a result, it is impossible to transfer a customer’s data to another location – even within the same country – without their permission.
To summarise: you’d be well advised to ensure your data stays in your own country – from both the legal and technical points of view.