I know what it’s like to have the company on your shoulders, to ultimately be responsible for each decision and action taken in the business. That’s your job as a CEO or Company Director. You are already juggling requests from employees and keeping an eye on sales and marketing budgets, invoices and administration. On top of all this, do you really need the headache of managing compliance with Data Sovereignty laws?
You need to know where the data is
Where in the world is your company data? Like many businesses, you might be taking advantage of the low cost and easy scalability of cloud storage. In addition to IT infrastructure cost shifting benefits and low cost storage, using cloud based storage boosts the productivity of your staff, enabling them to work from anywhere and on any device.
However, when your staff upload company files to the cloud – hopefully to a company controlled cloud and not to their own personal cloud storage accounts, such as a personal Dropbox or Google Drive account – company management should be asking: Where in the world is our data?
Management must ask this question because cloud storage providers, who offer storage hosted in overseas data centres, will take your company’s money with no questions asked. It’s not up to Dropbox, Box or any other cloud storage provider to ensure that the cloud storage you use meets legal and industry requirements in your home country. The aim of cloud storage providers is to grow their businesses, acquire more customers and earn more money.
When you use Dropbox, Google Drive, Box or SugarSync it is possible that your files are not stored in one single data centre. Your files are likely spread over a number of data centres, and possibly even across data centres located in multiple countries. This makes it impossible to know where your data is physically stored and means there is no way to know if your storage complies with Data Sovereignty rules.
What is Data Sovereignty?
Data Sovereignty is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. When you are storing data in the cloud, it is possible that your data is physically stored on a data centre which is located in a different country to where the data was created. So which Data Sovereignty rules apply? It’s confusing, isn’t it? Worse than just being a muddle, storing your data in the cloud could mean that your business is breaking the law or failing to meet industry compliance requirements.
As an example, in Australia*, Data Sovereignty is governed under the laws and regulations set out in the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP). Section 5B of the Act states that the Australian law and approved privacy codes or guidelines apply to an action done outside of Australia by an organisation if that action relates to personal information about an Australian citizen.
To translate this to plain English: Australian privacy laws apply to all personal information about an Australian citizen, no matter where in the world that data is physically stored.
What happens if our cloud storage is located outside of Australia?
If your company is using a cloud storage service like Dropbox, Google Drive, Box or SugarSync it is possible that data which contains the personal information of Australian citizens is stored outside of Australia. This is clearly outside of the definition of data sovereignty and in breach of the Privacy Act 1988 (Cth) and the Australian Privacy Principles. This is because you do not know if the organisation you have shared the data with has breached the APPs and because you can’t always control what another organisation does with data you have provided to it, particularly when that organisation takes a step that breaches the APPs.
Additionally, if you are using these services in your business, your company could be liable for any action taken by an overseas provider that you use to store and manage your client data. This includes any ‘misconduct’ which the Privacy Act defines as “… fraud, negligence, default, breach of trust, breach of duty, breach of discipline or any other misconduct in the course of duty”. This definition of ‘misconduct’ is broad and general, making it more likely that companies could breach the Privacy Act and its Principles when using overseas based cloud storage.
If your business is using overseas-based cloud storage services, you need to ask yourself these questions:
- Do we currently work for, or do we have plans to seek work with, government departments?
- Are we in breach of data sovereignty laws and regulations?
- Have we disclosed personal information about our staff or clients to an overseas recipient?
- Has this recipient breached, or could this recipient breach, the Privacy Act or the Australian Privacy Principles?
If your business is using overseas-based cloud storage services, and the use of these services breaches Australian law:
- Your company could face civil law and other punitive compensation penalties under the Privacy Act
- The breach cold prove expensive with civil penalties of up to $AU 1.7 million applying to serious or repeated breaches of the Act
- The impact of a high profile lawsuit or being penalised under the Privacy Act could seriously damage the reputation of your business and make it likely that you could never work with certain types of clients, for example government departments
If your business is a law firm, an accountancy practice or a provider of medical care – how would your clients react if their private data was exposed after a breach? How would you feel, how would you recover, if your company’s data was leaked and the private details of your clients was exposed?
Imagine the implication of leaked medical files… People with sensitive or embarrassing medical conditions would have their privacy violated. This type of breach might see your business sued or fined, but your business might be able to recover from this. Such a disclosure could have a serious, lifelong impact on someone who had chosen to keep a medical status, such as being HIV positive, private.
Consider the impact of leaked financial files. If your business provides tax services to companies, if you provide payroll services, debt collection, financing or salary packaging advice, there would be wide ranging implications and impacts from the public release of this data… Your clients’ competitors would have an unfair advantage, their customers may become upset when discovering how much profit the business is making, their shareholders would be extremely concerned by a leak and its potential impact on the share price…
Would we do business with a company that had breached the law?
Ask yourself this: Would I do business with a company that was found to have breached the law? I’m guessing your answer would be ‘No’; you would consider their reputation to have been too deeply damaged for you to associate with them, let alone do business. Now consider your clients making this decision about doing business with your company…
I’m sure that you would like to avoid this outcome.
Can my company comply with the law in the age of the cloud?
Yes, you can. You can know exactly where your data is, retain all the functionality of the cloud and do so for a price that is likely cheaper than that charged by overseas-based cloud storage providers.
Your Managed Service Provider (IT services provider), also referred to as an MSP, can organise Australian-hosted storage that works with a secure File Sync and Share solution. can Introducing CloudFileSync, an easy to deploy File Sync and Share solution that gives you all the flexibility and functionality of the cloud with the certainty of knowing exactly where your data is stored. Here’s how we do it:
- CloudFileSync gives you the power to create your own cloud. You can choose exactly where your cloud storage is based: on a server in your own building; on a server owned by your Managed Service Provider (IT services provider); or on storage hosted by a CloudFileSync Storage Marketplace provider
- When you choose a cloud storage provider from the CloudFileSync Storage Marketplace, you can see exactly where this storage is located and you can choose a provider based on the physical location of their storage server (at the time of writing storage is available in Australia, Germany and the United States of America, with more storage locations coming soon)
- When you choose to store your data on storage hosted by your Managed Service Provider you are be able to see where this storage is located
It’s up to the CEO to ensure a company complies with the law
Knowing where company data is stored is critical for businesses or non-profit organisations that operate in a range of industries dealing with sensitive data including health, finance, legal, infrastructure, engineering, mining, construction.
Cloud storage providers are not responsible for ensuring your company meets its legal requirements.
IT service providers are not responsible for ensuring their clients meet data sovereignty requirements – there are many providers who sell or resell Dropbox storage, even though the product stores data on USA-based servers.
Your staff will use a solution that is most convenient until the business mandates that they use one cloud service over another.
The reality is that the buck stops with the CEO or Director. It’s time to get your head out of the cloud and to act on using a secure, legally compliant File Sync and Share solution.
In most cases should be cheaper, easier and safer to use cloud storage inside your own sovereign borders – provide speed. CFS can be deployed on storage in your own country
CloudFileSync is here to help. Get in touch with our team to learn more about how CloudFileSync can provide you with a secure, compliant, convenient and easy to use File Sync and Share solution that works on any device. You can speak with our team by filling out your details on the Contact Us page of this website.
* While this article highlights the impact of breaching Australian privacy and data sovereignty laws, it is important to note that similar laws, underlined by similar principles, exist in other legal jurisdictions.