For many firms in the UK, one of the challenges of choosing a cloud hosting provider is meeting compliance requirements that mandate where their data is allowed to reside.
This is perhaps most significant for organisations that handle the personal data of EU citizens, as the upcoming enforcement deadline of the GDPR means fines for non-compliance will be much larger from 2018 onwards. The ICO estimates that British companies could have faced fines of up to £69m last year if the regulation had been applied then – a hefty and worrying jump up from £880,500.
An obvious answer is to this conundrum is to use a UK cloud hosting provider rather than a global supplier that offers less visibility into where customers’ data is stored. Even then, however, it’s important for firms to be diligent in ensuring their providers will commit to keeping their data on UK soil at all times.
With that in mind, here are three data sovereignty considerations when choosing a UK cloud hosting provider.
1. What can you find out about the provider’s data centre?
The first thing you should consider is the provider’s data centre – or data centres – themselves, and whether you’re comfortable they meet your security, compliance and data sovereignty requirements. You should also find out whether the data centre is actually owned and run by the cloud hosting provider – and, if it isn’t, find out exactly what kind of relationship is shared between the owner and the provider. If there’s a chance that something could change, will that have an impact on where your data resides?
Mergers and acquisitions are common in the data centre industry, and residents in third-party data centres often vote with their feet if they have problems with service quality. As such, it makes good sense to ask about the diversity and stability of a cloud provider’s supplier base if you want to ensure your data will stay in one place for the long run.
2. Where is the data centre located and are there any trade-offs?
Even with assurances your data will reside in a UK data centre, be aware the country covers an area of almost 250,000 square miles and there are meaningful differences in the quality of infrastructure even between major cities. As such, you should assess whether your data sovereignty requirements can be met without having to compromise on connectivity and resilience.
When finding out about the provider’s data centre, be sure to consider factors like availability of power, quality of connectivity to regional and national networks, latency, geographic risks, and even accessibility in disaster recovery scenarios.
3. How transparent is the provider?
Here’s where you’ll need to read what’s in the small print and find out the answers to how your provider operates behind the scenes. If your data is stored in the UK, for example, but the backup data is stored elsewhere – does it still meet data sovereignty requirements? Equally, if they have a failover facility, you’ll need to ensure that it meets your requirements in terms of compliance should their disaster recovery measures be invoked.
More generally, you’ll want to see whether your provider can answer any questions you may have about data sovereignty satisfactorily. And, as a whole, you shouldn’t have to use a magnifying glass to read the small print – they should be open, honest and transparent about how they run their data centre and how they’ll help your organisation deliver compliance using their services.