GDPR Vs. Data Localization Vs. Public Cloud

Peter Whibley

The old joke goes that “the cloud is just someone else’s computer.” But what if you don’t know where that computer is located? Organizations using or thinking of using the public cloud have a dilemma. How do they maximize the benefits of using the public cloud yet comply with GDPR and other global data protection laws that require data localization? How do they square the GDPR, data localization, and public cloud circle?

GDPR vs. data localization

Data localization laws restrict the storage of personal data to within the borders of a particular country or region. A frequent misunderstanding about GDPR is that personal data must remain within the EU. This is not the case.

Specifically, personal data can be moved outside the EU, but only if the jurisdiction in which the recipient is located provides an adequate level of data protection. However, outside the EU, multiple global data localization laws do exist, including laws in Canada, China, Australia, and Russia.

This means that multinational organizations operating in the EU and elsewhere may have to be simultaneously compliant to both GDPR and any data localization laws specific to the countries in which they do business.

Data localization vs. public cloud

The distributed nature of the public cloud is one of its key strengths, delivering lower latency, higher availability, improved resiliency, lower cost, and better performance. Data localization laws that restrict where data can be stored and where cloud services can be used can mitigate many of these benefits.

Strict data localization laws can restrict data protection in the public cloud. For example, if a particular region suffers a network outage or a DOS attack, it means that all data in that region could be lost, compromised, or its access restricted. In such scenarios, restricting the storage of business data to a specific country or region may inhibit disaster recovery efforts.

The challenge for organizations is to ensure they meet local data protection regulations where they exist, yet retain the flexibility to fully use their public cloud infrastructure in regions where strict data localization rules don’t apply.

Public cloud vs. GDPR

Public clouds deliver significant business benefits including scalability, elasticity, improved performance, and lower cost. However, when it comes to GDPR compliance, the public cloud lacks two key features: transparency and control.

A public cloud user will struggle to comply with GDPR if they don’t know where their data is being stored, moved to, or processed. In addition, an organization may be confident that some non-EU jurisdictions have adequate levels of data protection, but how do they ensure that their cloud data is stored and processed there rather than in more risky locations?

In order to support GDPR compliance in the public cloud, users need to know in near real time where their data is being stored, moved, and processed. They need to be able to configure and enforce rules that ensure that their business data is only moved to, processed, and stored in regions the European Commission has recognized as having adequate levels of data protection.

A flexible approach to data protection in the cloud

Attempting to comply with both GDPR and other global data localization laws by locking all of your cloud data within a specific region is a crude, inflexible solution that risks reducing many of the business benefits of moving to the public cloud. Instead, organizations need a more flexible approach to data protection.

Solutions are available that address the need for improved data transparency and control in the public cloud. By providing near-real-time visualization of where data is being stored, moved, and processed in the public cloud, organizations can easily understand if they are at risk of breaching GDPR and other data localization laws.

In addition, controls enable users to configure policies that can be used to enforce data protection and compliance simultaneously within the EU as well as elsewhere. If required, users can configure policies that go beyond local data protection requirements and rapidly adapt policies in response to changing global data protection legislation.

Learn more

Designed in partnership with public cloud providers, SAP Data Custodian can help organizations balance the requirements of data protection legal compliance with effective use of the public cloud.

This article originally appeared on the SAP Analytics blog and is republished by permission.


Peter Whibley

About Peter Whibley

Peter Whibley is a senior solution manager at SAP currently responsible for the go-to-market strategy and commercialization of SAP Data Custodian. Peter is a graduate of the University of Manchester and has held a variety of product management and product marketing positions within the enterprise software industry.