Do You Really Know Where Your Data Is?
Let’s say your business is based in Calgary. You also have a branch office in Halifax. Your main supplier is in Asia. And your biggest client is in the U.S. You know exactly where all of those key players are. But think fast: do you know where your company’s data is?
Thanks to the cloud, we can store, access and share data from almost anywhere at any time. But data you create in Calgary, for example, may be stored thousands of kilometres away in Asia or the U.S., depending on where your cloud provider’s servers are located.
Today, much of the data we own may actually reside far away from us geographically. Springing forth from this phenomenon is the issue of data residency. In a nutshell, your cloud-based data is subject to the laws in the jurisdiction where your cloud provider and its servers are based – not where your company is based.
Why it matters for businesses
The most common example of this issue today is the U.S. Patriot Act. If your cloud data is stored on servers located in the U.S., the Act gives the U.S. government the power to access your data for national security purposes. So even though your business is located in Canada, your data is subject to this particular U.S. law.
Now you not only have to ensure your business is in compliance with Canada’s national and provincial laws, but you also have to deal with the fact your data is also subject to the Patriot Act. How could this affect your company’s ability to comply with Canadian regulations regarding privacy and financial data, for example? Read on for some tips about what else to consider and possible steps to take.
What you can do
Here are some key questions you can ask:
– Where is your cloud provider’s corporate head office?
– Where is your cloud data stored and backed up?
– Does your cloud data pass through any other territories?
– Who retains the rights regarding ownership, control, access and usage of your cloud data?
– What happens to your data after you end your contract with the cloud provider?
– Under your contract, does the cloud provider have to notify you of any access requests from government authorities?
– Does your provider have to notify you of service changes that could have data sovereignty implications?
– Can your provider guarantee that its service and procedures meet compliance laws for certain jurisdictions specified by you?
– Will the data security laws in your provider’s jurisdiction conflict with other compliance rules (i.e., privacy laws) your company must already follow?
If your business is concerned about – or could be immediately impacted by – data residency issues, you can look into a Canadian-based cloud service provider that stores your data in certified facilities that are 100% Canadian owned and operated. This can help to keep your data secure, under the protection of Canadian government regulations, and hosted in facilities that meet top industry certifications.
The bottom line
Although cloud-based services have helped break through various logistical and cultural barriers to turn this planet into a truly connected global community, this is one instance where geopolitical borders can still make a big difference. Don’t assume data sovereignty is no big deal. It’s important to do some digging to find out how the location of your cloud provider and cloud-based data could affect your legal liability and regulatory compliance.
What concerns does your business have about data sovereignty? Has this issue played any role in your choice of cloud service provider(s)? Join the dialogue by sharing your thoughts in our comments section below.