The beauty of the cloud is the promise of simplification and standardization — without regard to physical or geographic boundaries. It’s this “any time, any place, any device” flexibility that is driving rapid adoption.
However, new government regulations on data sovereignty threaten to complicate the delivery model that has made cloud computing attractive, presenting new concerns for companies with operations in multiple countries.
While the strike down this fall of the United States-European Union “Safe Harbor” agreement made most of the headlines, I see the recent localization law in Russia (which went into effect in September) as a more significant development. The law mandates that personal data on Russian citizens must be stored in databases physically located within the country itself.
With this ruling, companies that capture, use and store data must abide by specific laws or face the consequences of falling out of compliance. Russia is a warning bell. With currently 20+ countries also considering similar privacy laws, the landscape will grow increasingly complex for cloud providers, and more costly for customers, thus chipping away at the beauty of the cloud.
To make the point clear, let’s take a look at what the Russian law portends.
Your business could likely store data in numerous locations across the globe, but because the software is cloud-based, it’s up to you to re-architect the way it operates, ensuring Russian data lives in Russia.
There is, however, some leeway that allows a business to process data at runtime in a different country from where the data is persistently stored. For example, your business can have a runtime in Germany, but the Russian employee data gets stored based on local rules in Russia.
So your cloud provider must have data centers in multiple countries. At SAP, we do, including in Russia, but I don’t think a data center in every country across the globe is a long-term answer.
So how do you calculate the risk of falling out of compliance? Here are three considerations for preparing for a worsening regulatory climate:
Create A Roadmap. Know where your company does business, and where it plans to. If expansion is on the horizon, start monitoring legislation in those countries to estimate costs and restrictions early to minimize compliance risk.
Know Your Cloud. Understand from your cloud providers where the data resides. What is their roadmap? What are the costs?
Realize How Mission-Critical Compliance Is. Every industry and enterprise is different. Maintaining compliance may be critical to your business, or it may be an afterthought. Understand how your company prioritizes these regulations and how much of your resources you should dedicate. You may decide that it makes more sense to manage data sovereignty on your own, or you may decide to hire a vendor.
In the post-Safe Harbor era, updates to data sovereignty legislation are likely to occur with greater frequency. If you manage data outside of legislated parameters, you may be fine for a period of time — but the truth is that you will face significant challenges if there is a data breach that can be traced back to your company.
There’s no United Nations of data; each country is looking at its own specific types of data. The only way to deal with it is to store specific data in-country. It’s expensive. The cloud is helping businesses move forward at an astounding pace by reducing complexity. The demand for simplification will continue to drive this journey.