Data Protection legislation has long since been a minefield that many have tried to avoid; only further complicated by the ever growing number of next generation service providers moving your data off-site and into the cloud.
The market is now proliferated with people who'll store your documents, manage your accounts and book-keeping, centralise corporate CRM, improve the end-to-end sales funnel and streamline manufacturing throughput; all whilst outsourcing your IT, HR and legal services.
That's all fantastic, with the virtues of the 'cloud' now well documented and understood. But whilst the benefits are obvious it is a major data protection headache for any IT security and compliance representative.
If your entire company's data sits with a single provider in a single geographic location, ensuring full compliance is made somewhat easier; although such a scenario raises more questions that it answers (but i'll save that for another blog).
So what if you're living in the real world and your data resides with a multitude of different providers, geographically distributed (often globally), each operating its own security, data retention and disaster recovery strategies? It maybe your data, but are you really in control of it?
Safe Harbor is dead.
With the EU amidst negotiation of a new General Data Protection Regulation (GDPR) to replace 1995's EU Data Protection Directive, combined with recent revelations from Mr Snowdon and the somewhat unexpected judgement that the EU / US Safe Harbor agreement is now invalid; Data Protection has never been a hotter topic.
Death of the Safe Harbor agreement throws a serious spanner in the works for any European company storing data in the United States. Opinion appears split as to how this will all play out, but one thing is for sure; the first question on your security and compliance checklist should be "is ANY of our data stored in or processed by a US based company?". If the answer is NO then breath a little easier, that's the hard bit done.
Where is my data?
Knowing exactly where your data is located isn't always as obvious as it may a first appear.
A company with US-based headquarters may have local storage provision across Europe and Asia; whereas a UK / European service provider may choose to host out of US-based data centres. As the data controller you are responsible and expected to know not only what data you store, but where it's stored and by whom and how it is processed.
It can get very complicated. Take a scenario whereby a US company is asked by US authorities for personal data on an EU citizen for which it's data is located in an Irish data centre. That's a data protection conundrum no one wants to deal with, with at least one nation's legislation being tested (and potentially broken).
Just down the road.
TreeVue is a UK-based company running its service out of highly secure, resilient and scalable data centres across Europe.
Unlike many of our competitors, we can guarantee that all of your data resides within EU boundaries at all times. This not only applies to ongoing document storage but to all tiers of our multi-tiered application stack, including any temporary caching, associated meta-data or any other form of transient content.