Our Thoughts

Why a local cloud provider will help you stay on the right side of data sovereignty laws

03 Jul 2017

When it comes to data in the cloud, it can be difficult to understand what you’re allowed to do with it. For example, is your data allowed to be ‘at rest’ – i.e. hosted – in another country while it’s not being used? Or do you have to ensure that all data is hosted within the UAE at all times? And would that fact alone affect your ability to build out a fully formed cloud-based infrastructure?

These are questions that CIOs working with the cloud have to grapple with. Indeed, data sovereignty has become one of the major sticking points of how feasible a cloud strategy can be. And in the UAE, the matter is particularly pressing, as falling foul of data sovereignty rules can result in hefty fines for your business, and even jail time for major offences.

The first major rule that has to be considered is the fact that UAE data sovereignty laws place restrictions on where sensitive data can be stored and analyzed. The rule of thumb is that, if you’re a public-sector organization, and therefore store government-related data, your data can in no way leave UAE shores. It must remain, at all times, under the jurisdiction of the UAE government. This means that opting for a cloud provider with data centers out-of-country is untenable.

But the rule extends far beyond public-sector organizations. If you’re in the healthcare industry, for example, similar restrictions are placed on data sovereignty, and the same goes for many financial institutions, too. Indeed, you could simply be a private-sector supplier serving a public-sector organization, and you still may have to follow the in-country rule.

To understand whether you’re subject to this rule, you need to carefully consider what type of organization you are, what types of organizations your customers are, and whether you handle sensitive information. Once you’ve determined that, though, you’ll also have to take steps to understand if you’re being compliant. That means working out exactly where your data might be hosted while it’s in the cloud.

Happily, Gartner offers a good guide to doing this. The research house identifies four types of data location – physical location, legal location, political location, and logical location. Which ‘location’ you use as the basis for your cloud strategy depends on your circumstances.

The physical location may vary, depending on where it is stored (a big question that your cloud provider needs to answer). But most international organizations tend to view closer as better. This means that, if you’re in the UAE, it may be preferable to host your data within the UAE.

Meanwhile the legal location refers to the legal entity that controls the data. But does that mean that, if you’re a company in the UAE, and you host data in Germany, that you’re the legal entity that controls the data? If so, then the legal location is the UAE. But what if a court decides that the German cloud provider actually controls the data – that would make the legal location Germany. Again, this is a question that needs to be ironed out with your cloud provider.

The political location takes into considerations such as law enforcement access requests and other political issues. Whereas the logical location is determined by who has access to the data. As Gartner explains:

“For example, a German company signs a contract with the Irish subsidiary of a US cloud provider, fully aware that a backup of all data is physically stored in a data center in India. While the legal location of the provider would be Ireland, the political location would be the US and the physical location would be India, logically, all data could still be in Germany.”

Gartner says that there is no obvious choice between these options for most organizations – each way of classifying data comes with its own pitfalls. In the UAE, however, because of the strict data sovereignty rules, the physical location approach is becoming the most prevalent. Rather than risk falling foul of the law, organizations are tending towards local data centers that keep all data within the UAE. After all, the definitions made in the law are not necessarily in line with the various definitions listed above. This means that, in the UAE, going local is the most obvious choice if you’re concerned about data sovereignty in the cloud.

Latest thoughts

The lowdown on the Gulf’s first Tier IV data center

The lowdown on the Gulf’s first Tier IV data center

What if you could take advantage of the power of a state-of-the-art data center without actually having to build one yourself?...

Know more
How outsourcing parts of your infrastructure could save you time and money

How outsourcing parts of your infrastructure could save you time and money

Most businesses can’t afford to reinvent their IT systems every year. Perhaps that’s why managed services have become so popular among IT leaders in the Middle East....

Know more
Why the time is right to explore InCloud

Why the time is right to explore InCloud

InCloud affords UAE organizations the ability to safely and securely take full advantage of cloud computing without needing to worry about data sovereignty problems....

Know more