An interesting thing happened this week. A supplier contacted us to let us know that they are moving some of the cloud services they deliver for us to a new data centre (in this context I’m defining ‘cloud’ as ‘stuff that is hosted by someone else – usually the system’s vendor’).
The didn’t let us know this as a courtesy – they had to let us know because the changes will necessitate some IP/routing changes at our end.
This got us thinking – in many cases, technically speaking, a vendor could shift their systems to a new location without letting the customer know. Indeed, much of the attraction of cloud/SaaS from my point of view is that all that stuff is opaque to me. As long as they are keeping my stuff safe I really don’t need to what else they are doing.
A colleague of mine pointed out that the vendor could be moving stuff to China – we just don’t know. I’m not sure of the wisdom of choosing China here as an example of the ‘Wild West of Data’ but the point is valid – the UK Data Protection Act requires that we keep our data within the EEC.
Needless to say (I hope) whenever we let a SaaS contract there are clauses in there about security and it’s made explicit that the data must stay in the EEC. So if the supplier was to move storage to China they’d be in breach.
That’s sad though isn’t it? I drew 3 conclusions from our ruminations:
- How frustrating it must be for suppliers not to be able to move infrastructure to wherever works based for them. Inevitably this must mean that we’re paying more than we might otherwise.
- How archaic the DPA is in its stance on data location. I’m pretty sure (but willing to be proved wrong) that the ‘keep it in the EEC’ rule pre-dates the Internet. It needs updating to reflect the global nature of our networks.
- All of this might be irrelevant. I’m not entirely sure that the people hosting our data always know where it’s all sitting/going. Database sharding technologies mean that it’s quite possible that a single database is split between several countries at the same time. If the supplier has data centres across the globe will they definitely have ticked the ‘keep it in Europe’ check box?
Time to do away this with geographic paternalism. If we’ve checked that our suppliers know what they are about, from a data protection perspective, then who cares where the ones and zeroes reside?
To paraphrase The Rolling Stones – “Hey, you, do what you want with my cloud!”