Data is a commodity and the value of it gets an awful lot of attention at the moment. The European Union's general data protection regulation (GDPR) has gained a lot of attention both in the public and the administration departments in many companies in recent years. What has previously been a concern for IT and security managers has now reached the management level and become an item on the agenda.
Because data is valuable. Not only the sensitive kind, but also the data offering insights into conditions of production, economy and other business-critical aspects. Access to your data may provide outsiders with information you prefer to keep to yourself, and for this reason it is crucial that the doors are securely locked. In addition, it is vital that you are constantly in control of the location of your data. Though, this might be quite problematic. Especially, if you place your data in the Cloud without careful consideration and preparation.
Data controller and data processor
For most companies placing applications in the Cloud is a natural consequence of the digital transformation. It brings about multiple advantages - not least concerning stability, agility and security - but it also means that you rely on your cloud provider's interpretation of the regulations to be consistent with your own interpretation. This is where things start to get complicated.
Let's take one step back and take a look at data processing agreements. A data processing agreement is a legally binding document between two parties - a data controller and a data processer - including guidelines for how the data processor should manage data on behalf of the data controller.
In any case a data processing agreement is a good idea. It is crucial that we, as individuals as well as companies, feel confident that our data is processed correctly. The challenges arise - as in many other instances - when principles are operationalized. When returning to the cloud reality, the cloud service or company you choose will become your data processor. You are the data controller, hence it is your responsibility that your customers' data is in safe hands when signing a data processing agreement with, for instance, Amazon Web Services (AWS).
Then in theory you would be on sure grounds, but nothing is guaranteed. Even though both your and your cloud provider's data processing agreement are correct and meet the legal requirements (which, by the way, will always be the case for the cloud provider, as it is a prerequisite for GDPR compliance, which in turn is a prerequisite for being allowed to deliver the service), the problem might be that the agreements aren't compatible.
As previously mentioned, a data processing agreement is a legal document, which by nature is a complex entity. Not least because of the ambiguity of law - much is left for interpretation.
Challenges across borders
Let's return to the largest public cloud providers, for instance, AWS: Many companies - perhaps also yours - have a standard data processing agreement, in which it says that the location of your data must be explicitly stated. However, in AWS' agreement it only says that the data is stored, for instance, "in Frankfurt".
Similarly, it is common practice that the data processing agreement states that you, as a data controller, must be allowed physical access to the datacentre(s) in which your data is stored. Again, (as an example) AWS' policy does not allow physical access.
What about encrypted data? Many include a requirement in their data processing agreement that data must not be accessible to outsiders, and it is evident in AWS' general conditions that data is encrypted, for which reason the employees can't read them. While this might be true, the reality is typically different. If support is included in the agreement with your cloud provider, the cloud provider has access to your data. This challenge is also known as the "follow the sun" problem which is relevant, if the data processor has a support centre in, for instance, India.
In order to be able to offer support 24/7 the cloud provider assigns the task to an employee located in a country, where it can be taken care of during day time. In this situation your data will be located in India, but what if your data processing agreement dictates that your data may not leave Europe?
The war rule complicates your work
We aren't trying to freak you out, but we have to mention one more thing: the so-called war rule.
The war rule sets limitations for which data public organisations are allowed to store in foreign countries. The rule is not about IT security (that's part of GDPR), but security of the state. When the new data protection regulation came into effect the 25th of May 2018, practice changed and this brought about a challenge for the rule. Practice changed in the sense that it is no longer the individual public body's responsibility to interpret the rule. This responsibility now belongs to the minister of justice and the relevant department. They are jointly responsible for composing a so-called negative list of the systems that are to be kept - either in part or in full - within the borders of the country. Though, seeing that the individual minister is allowed to delete or add systems without notice, you can't be sure that the lists are up to date. This is why you can't be completely sure which systems are to be kept within Denmark.
Ally yourself with an expert and benefit from it
Considering these challenges one or two decision-makers are probably left thinking that Public Cloud is a bad idea. Though, that is a hasty conclusion to draw.
A cloud solution remains to be an obvious choice for many companies. Placing your applications in the Cloud allows you to benefit from stability and security, and for many companies the cloud step is - if not unavoidable - the most natural first step towards digital transformation.
In this connection it is important to emphasise that a sub-provider - whether it being Netic or one of our colleagues in the industry - is not taking over the responsibility. This is simply not allowed according to legislation. A data controller simply can't outsource the responsibility of its data.
In the end it is all about trust. Like in most other contexts in not just our professional lifes, but also in our private lifes, we depend on each other, and we are fundamentally dependent on the organisations and people we interact with to have the best intentions.
It also has to do with knowledge and overview. It is difficult to prepare in the best possible way, ask critical questions and go carefully over agreements, if you are uninformed. This is why we recommend that you ally yourself with an expert, who comprehends the critical infrastructure and has specialists, who can help you with technical issues, law and data security.
What a sub-provider can do is make your everyday life easier as a customer by preparing you to engage in a dialogue with your cloud provider. This involves composing a data processing agreement which - in the best possible way - allows for a reasonable balance between your and the provider's requirements and expectations. A data processing agreement should be composed before you choose the platform for your infrastructure and applications. It will save you a lot of time and money.