Consider Cloud Locality to Comply with GDPR

The real-estate agent’s mantra of “location, location, location” has become all too well-known for any home buyer. However, that same rallying cry has now fallen into the nomenclature of GDPR compliance, adding yet another layer of complexity to those seeking to meet the requirements set forth by the  European Union’s General Data Protection Regulation (GDPR).

Although the complexities of GDPR abound, those providing services via the cloud are facing some additional complications in the form of data locality. GDPR compliance includes some specific wording around data localization, which implies that certain customer data is to remain within the borders of a particular region or country.

Although data-localization laws are not necessarily new and have been the rule in many regions, such as Germany, Switzerland, the Netherlands, China, Russia, Turkey, Indonesia, Uganda, Tanzania, Kenya and others countries prior to 2018, the forthcoming GDPR requirements bring data-localization requirements sharply into focus.

Specifically, the GDPR states that personal data can only be transferred to countries outside the EU when an adequate level of protection is guaranteed. If an organization has even the slightest doubt about a particular destination, the data cannot travel there. With the high cost of noncompliance looming in the future, many organizations are looking to play it safe and are seeking solutions that will ensure that their customer data stays within the EU, or even within the country of origin. That proves rather complicated for those looking to leverage cloud technologies that incorporate hybrid solutions.

Take, for example, Germany, which forbids sharing data across the national border (even within the EU) in the absence of guaranteed protection levels. Organizations looking to engage with German customers will have to carefully consider how their cloud strategy impacts GDPR compliance.

Luckily, all is not lost. Data-center colocation providers are paying close attention to data locality and are offering the means to maintain locality, while also providing the added benefit of low-latency access to data.

Channel Futures had the opportunity to meet with representatives of Interxion, the European colocation data-center services provider, at last week’s Channel Partners Conference & Expo in Las Vegas, to discuss the impact of GDPR on cloud service providers.

Patrick Lastennet, director of marketing and business development, financial services segment at Interxion, was able to offer some sound advice on the subject of GDPR and data locality.

“GDPR ensures harmonization of the data protection regulation across Europe, so there is no need to have arbitrage within the EU; however, it is strict on the transfer of personal data outside the EU,” Lastennet told us. “If a country is not deemed adequate, a special regulatory framework and clauses need to be in place. And in the event those are not totally tested yet against GDPR, there is a significant trend for non-EU companies to process their European data within the EU only.”

Patrick Lastennet

Patrick Lastennet

While that might sound like an almost impossible challenge for companies outside of the EU, Lastennet says companies should be thinking about how to best leverage the cloud and colocation to maintain compliance.

“For example, a U.S.-based company can choose to keep [its] tokenized/encrypted data in the public cloud within any region, while maintaining the associated token data and encryption keys in a secure and physically auditable colocated environment in the EU.”

Lastennet also explained that there are additional benefits to that approach.

“This type of ‘colocated arbitrage’ is not only more cost effective, but it also helps to mitigate the risk of data being compromised by keeping these data elements separate from the decryption keys,'” he said. “By colocating “key custody” close to the public cloud, within the same data centers used by CSPs to host access points, it allows the enterprise to account for both the compliance and data-performance needs of their customers.”

With GDPR requirements going into effect shortly, organizations looking to work with EU-based customers must take into account the more subtle requirements of the legislation and address issues now that will turn into massive problems later if not remediated before GDPR goes into effect.