Where Is Your Data? In-house, in the cloud or Behind the Sofa?
Thursday 28th September 2017
Chatting in the office about the approaching GDPR deadline, we were thinking back to some testing we did with our Network Horizons network security monitoring service for an SME client recently. We had to alert them to some data routing anomalies that meant that they were no longer compliant with a few EU data privacy rules, despite their contractual efforts to make it so.....
Since the advent of the Internet, we're all pretty much aware that the ability to send data anywhere has been maturing to the extent that we don't know where information goes, and in some cases, we don't care so long as it does what we need it to.
Aside from the issues around data privacy, cryptography, authenticity etc. etc. there are a few issues around EU law that are still causing some problems in getting agreement for where data can be stored. More specifically, the Safe Harbor (Harbour for the British) agreement was to provide a means by which European data could be stored outside of the European Economic Area in the US, on the proviso that certain controls were in place - given that EU data is subject to EU data privacy regulations. This agreement has now stumbled and was rendered invalid in October 2015.
When undertaking network monitoring for this client, over a period of time, it became clear to us (and hence the client) that a significant amount of data was being diverted to South America instead of Ireland for one of their backup/resilience services.
In good faith, our client had signed contracts with an EU company for storage of data within the European Economic Area, but over a period of time changes must have been made to this service unbeknown to the client.
To avoid falling foul of data privacy regulations, Data Owners must ensure their level of compliance, by applying any number of remedies for this; such as including contract terms about storage locations, or changing service providers. However, without a network monitoring service to let the client know that their arrangement had gone wrong how would a client know, short of the service provider owning up?