Okay, so maybe that’s a fake..err..’alternative’ Trump tweet, but the post-Brexit and Trump President era has massive implications for any business storing client data.
The last few years have seen more and more software moving to the cloud. In fact I bet a good number of people reading this blog don’t actually know where your client data is being kept or if you’re in breach of data protection laws already. In simplest terms, if you’re a company operating inside the EU and your data isn’t, there’s little legal protections for what you’re storing and that’s actually kind of terrifying. Just think of the data you hold. We work with many financial service companies and they hold details on their clients money troubles as well as details about their vulnerabilities which may include confidential mental and physical health information. It’s easy to think of most clients as being of no particular interest to illicit users but your client base may include armed forces personnel, airline pilots, politicians and public figures. Data protection isn’t just an afterthought, it’s a serious law with very serious implications when it’s not correctly considered.
You have to ask your provider if they’re sure they’re keeping you on the right side of the law. If they’re worth their cost they should have limited their cloud server infrastructure to domestic servers owned by domestic companies only, but in the UK, many software houses probably asked their hosting providers to restrict to EU servers only instead. Pre-Brexit the decision to use EU servers seemed like a sensible approach, after all there is a much larger choice of server farms across the EU and prices for your hosting will go down as a result. The EU provided full data protection coverage to all member state citizens and the privacy of your data should have been fully respected by all… but what now? When Britain leaves the EU those protections will no longer apply anyone who hosted their data on the continent have failed to maintain the confidence of their clients. Even moving the data away from the EU before the big day won’t fully help – hosting data is a genie in the bottle situation – once the data has been out there it is logged and could be backed up and accessible even if you later change your mind and remove ‘your database’.
This has long been a concern of mine when asked about non-EU providers too. All the major platforms: AWS; Microsoft Azure; Google Cloud, allow you to ‘select your region’ to limit where the data is typically stored (though usually only down to the global region, not the country), but check those terms and conditions and you probably find reference to them making exceptions to comply with ‘governing bodies’ or routing around service failures. That’s not your governing body, or at least, not just yours – they mean the US government, who have the legal power to make their tech companies give them access to data and prevent those companies from telling you about it. They may need to make the company bring the data onto US servers first but that can be arranged under the guise of a service outage or resilience preparedness. Google, bound by the gag clause like everyone else can’t tell you specifically that your data is being processed by US government departments but in a nod to defiance they do at least tell the public this is happening by announcing how many data requests they are forced to comply with in this way on n annual basis. Whether targeted, justified, or actively used, the fact that a contractor for the NSA over in the US can look up the data you store on your clients and ship that off to companies, governments, or wikileaks is already a serious breach of your clients data protection rights.
You might be told your data is being stored and transmitted in an encrypted format and so it’s perfectly safe, but actually storing data this way isn’t common as it makes retrieval much slower, and encrypting over a level that governments can essentially break is illegal too, so you’re probably not getting as much protection from that as you might have been told.
Now don’t get me wrong – I’m a technologist at heart. My life was cloud based before there was a cloud. It’s a great way to run your infrastructure and for many industries absolutely the right way to go. Sadly the financial service sector needs to hang back a little though, and make sure it fully understands the issues that come about when you take more than tweets and vlogs out into that world. It’s always been Tigersolv’s opinion that any move to the cloud must be a dedicated private cloud provided by a UK company on UK servers when you’re dealing with customer private data, and we challenge you to ask your software suppliers to assure you that your data can’t possibly have been moved overseas and if they don’t fill you with confidence, maybe have a look around before you get caught up in the Brexit-Trump era lawsuits that could be closer than you think!