GDPR and Data Localization: The Significant (and Often Unforeseen) Impact on the Cloud
GDPR and Data Localization: The Significant (and Often Unforeseen) Impact on the Cloud

The EU's General Data Protection Regulations (GDPR) – enforceable on May 18 next year – are proving to be a huge challenge with many twists and turns. One of the most significant parts in the law is data localization. Data localization refers to laws requiring certain customer data to remain within the borders of a particular region or country. Data localization laws are not necessarily new - prior to 2018, Germany, Switzerland, the Netherlands, China, Russia, Turkey, Indonesia, Uganda, Tanzania, Kenya  and others passed these mandates. But the looming GDPR is once again shining a light on them. 

Specifically, the GDPR states that personal data can only be transferred to countries outside the EU when an adequate level of protection is guaranteed. If an organization has even the slightest doubt about a particular destination, the data cannot travel there. With the cost of non-compliance so high, many enterprises will refuse to gamble and opt to play it safe, by ensuring their customer data stays within the EU, or even within the country of origin. Germany, for instance, forbids sharing data across the national border (even within the EU) in the absence of guaranteed protection levels. 

Data localization will dramatically impact multinational companies (including many based in the U.S.) who use the cloud and conduct business in the EU, as well as cloud service providers themselves. This is because these organizations fall into the GDPR's definitions of “data controllers” and “data processors”:

  • “Data controllers” are defined as any “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.” This is estimated to be up to 80 percent of enterprises in the world.
  • “Data processors” are defined as any “person, public authority, agency or other body which processes personal data on behalf of controller.” Cloud service providers fall into this category, and it's not surprising that over the past few years the major providers have been quickly building out infrastructure across the EU, to address the new requirements. 

The public cloud offers many benefits to enterprise users, but transparency – or the ability to directly see and understand where data is being stored and workloads are being processed – is often lacking. From a GDPR perspective this is highly problematic, as multinational companies using the cloud will need to ensure certain data stays in certain places and doesn't travel to other places. If customer data travels outside a defined boundary to a non-vetted area, both the enterprise and the cloud service provider will be breaking the law. 

While enterprise cloud users are aware of the compliance risks, this is not deterring them from adopting the cloud. DataCenter Finland recently conducted a survey with 100 Finnish enterprises around the topic of GDPR. It revealed that 78 percent of the companies surveyed say it is very important that the data is stored within Finnish borders. Yet 55 percent of the companies say they plan to use more cloud-based services in the next 24 months. This reveals a disconnect: enterprises are not easing back on moving to the cloud, even though the public cloud does not deliver sufficient control and visibility over where data resides. 

Changes Ahead: In light of GDPR and data localization, we anticipate major changes ahead for the entire ecosystem. The major cloud service providers have already begun massive infrastructure build-outs across the EU, to accommodate these laws. We expect them to continue as well as follow the example of several cloud database providers who can discern and segregate EU customer data, as well as offer tiered services with more stringent oversights (and higher costs) for this data. We also expect growth in private cloud demand, as many organizations will conclude that the storage and processing of personal data is so core to their business they will want to keep these functions in-house.

Smaller hosting companies, which may have perceived a disadvantage (lacking the resources for cross-EU buildouts), will actually have an opportunity to collaborate with the major cloud service providers when required to meet their own end users' compliance needs.  These smaller companies will have a unique opportunity to position themselves as fully transparent, trusted partners for assuring certain data is kept within certain borders. 

Among enterprise cloud user organizations, we expect greater demands for visibility and transparency into their service providers' data storage and workload allocation mechanisms, as well as multi-cloud strategies that enable them to toggle across various service providers as needed, to ensure compliance. Trust will be key and opposition to single vendor lock-in will grow, as enterprise users demand greater flexibility to meet country-specific compliance requirements as well as the ability to seamlessly switch providers if trust is ever questioned or violated. 

One thing is certain: for enterprise cloud users, trusted data localization capabilities are another critical criteria in evaluating and selecting providers. The implications of data localization and the cloud are another example of the GDPR's fine print that demands immediate and close attention.