Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

Data privacy regulations and the cloud – real world opinions


Recently I was invited by The Economist newspaper to participate in an executive round table in London on the topic of “Securing data: Navigating the data sovereignty landscape”. With all of the recent interest around data sovereignty issues, especially in light of the European Court of Justice finding the EU Safe Harbor agreement invalid, the new proposed Privacy Shield, and the forthcoming EU General Data Protection Regulation (GDPR), I was looking forwards to some interesting discussions, and the round table didn’t disappoint.


To provide some background, one of the main concerns that organizations are faced with when considering the move to the cloud is the issue of data sovereignty – or, simply put, where data is located in the cloud at any time. Whereas in a traditional datacenter it was fairly easy to address this – the data was simply stored on servers in the datacenter, and could easily be tied to a specific geography – in a cloud environment the concept of geographical boundaries becomes very blurred, especially when you look at large cloud service providers offering elasticity, cloud bursting, and geographic redundancy in the case of service outages. In fact, as a number of the attendees in the discussion pointed out, it’s impossible to know with any degree of certainty exactly where your data is at any particular time when storing it in a public cloud.


The concerns are compounded by the commonality of data breaches. As has been shown by the dramatic increase in security breaches impacting large household names, spewing personally identifiable customer information into the public realm, no organization can claim immunity from hackers, and indeed a commonly held opinion is that it’s only a matter of time before every organization will be subject to a security breach. The proposed GDPR introduces significant monetary penalties to organizations that do suffer a breach – up to 4% of worldwide revenues in some cases – so it becomes very clear that having a solid plan in place that describes what should happen in the case of a breach is an important part of any organizational cloud security policy. In fact one of the conclusions from the round table discussion was that it’s not whether or not your organization is breached that will define the organization’s cyber reputation, but how well the organization is able to handle the aftermath of the breach.


The discussions also looked at the problem from a technology perspective, and it became clear that many of the participants felt that the current regulations associating data sovereignty with geographical boundaries were less relevant when an organization chose to protect cloud-based data using technologies such as encryption and tokenization, for example as used by the HPE Security - Data Security range of products. It was suggested that when data is encrypted, the location of the data was less relevant, compared to the location of the decryption key, however it remains to be seen how the law would actually deal with this situation of a geographical boundary being replaced by a logical boundary.


Another area of discussion was around the risk of putting data in the cloud – especially since technology solutions are often unable to distinguish between data that is sensitive, and data that is not sensitive, and the sheer scale of data within a modern organization means that it is also an impossible task for a human to handle retroactively. So ultimately decisions have to be made on what level of risk can be accepted when storing data in a cloud environment, remembering that whilst it is fairly trivial to outsource the operation of a cloud to a third party service provider, it is never possible to outsource the risk – in the case of a breach the buck stops firmly with the information owner.


The general opinion of the participants seemed to be that GDPR is a step in the right direction, and a solution that in time will provide organizations with a framework to follow when approaching the sensitive issue of data sovereignty. However, since the GDPR is not expected to come into effect until 2018, organizations are left with both a degree of uncertainty with regards to how to deal with data sovereignty issues until then, as well as a concern that they don’t have enough time to fulfil all of the criteria that the GDPR is expected to introduce – after all, as one participant pointed out, how can an organization comply with a regulation that still hasn’t been fully finalized (at least, at the time of the event), and is seen by some to be already out of tune with a number of the cloud-oriented data privacy challenges?


Economist report.JPGAll in all, an interesting morning which highlighted the fact that data sovereignty isn’t an issue that should be taken lightly when migrating to the cloud. At Hewlett Packard Enterprise, part of our hybrid cloud security strategy is to provide customers with solutions that offer continuous regulatory compliance. These solutions are supported by some of our in-house developed technology, such as the HPE Security - Data Security products for data encryption and confidentiality, and HPE IT Operations Compliance for continuous IT compliance, as well as third-party partner solutions such as the Intralinks range of secure online collaboration tools.


I would like to thank The Economist for hosting the event, and encourage anyone interested in the topic to download their white paper entitled “Companies, digital transformation, and information privacy: the next steps”. Additionally, Intralinks, supported by Hewlett Packard Enterprise, will be hosting similar roundtables in the near future in a New York, San Francisco, and Frankfurt – please click on the link for more details.

0 Kudos
About the Author


Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and working in the Worldwide Security Center of Excellence within HPE Pointnext Advisory and Professional Services. Simon is active on Twitter as @DigitalHeMan

See posts for dates
See posts for locations
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all