Today’s organisations are so used to the efficiency and flexibility of cloud services that only a few would be eager to return their data to self-maintained servers. However, the changed global situation has brought new political and geographical risks to the management teams’ agendas. These risks directly impact the globally distributed data centre networks powering cloud services.
How should leadership react if a data centre containing important data is located in a geography where law and order suddenly changes? The pandemic and Russia’s aggressive war have slowed globalisation, presumably leading to a strong downward trend in the country’s risk appetite for globally operating companies.
An essential framework for risk assessment and decision-making is the EU general data protection regulation GDPR, which came into effect in 2018. Personal data that every organisation possesses is, after all, primarily stored in cloud services.
In some countries, the rights of public authorities contradict the GDPR requirements even under normal circumstances.
After some initial grumbling, the changes required by the GDPR have been duly fulfilled. Typically, the distribution of data centres across the globe is not considered a problem. Even non-EEA (European Economic Area) companies must comply with GDPR when offering services in the EU and processing the personal data of EU residents.
A potential problem and an increased risk related to the rights that local laws permit for the authorities and whether the local data protection legislation corresponds to the EU standard. In times of turmoil, this legislation, its application, or the physical security environment can suddenly change, and business risks may need to be higher in priority.
In some countries, the rights of public authorities contradict the GDPR requirements even under normal circumstances. For example, some local legislations allow security and intelligence authorities to access the data stored in data centres, regardless of the laws that the service provider follows.
Wisdom of minimising risks
European companies must unequivocally ensure that the GDPR requirements are fulfilled even when the data is processed outside the EEA. Should any risks materialise, the entire business is at stake, not only the data.
In unstable times, wise management minimises risks – even those that seemed very distant just a few years ago. As self-maintained servers are rarely a realistic option, cloud partner selection becomes an even more critical decision. The location of the partner and data centres, as well as the legislation they follow, should be of great interest to decision-makers.
Antti Vilpponen
CEO, UpCloud
