How to survive in a post-safe harbour world

Phil Muncaster

Friday 15 January 2016

We discuss why UK and EU businesses with cloud service providers (CSPs) based outside of Europe must reassess their data controls and access.

On 6 October 2015, in a landmark decision, Europe’s top court declared invalid the 15-year Safe Harbour agreement between the US and European Union. This ruling affects not only the thousands of cloud businesses storing EU citizens’ data in data centres over in the US, but also their corporate customers across Europe.

Where is my data stored? How is it protected? And am I compliant? These are the sorts of the questions that IT leaders need to start asking themselves. While it’s true that a new Safe Harbour agreement is currently being thrashed out by US and EU negotiators, if nothing else, the current regulatory uncertainty offers organisations an opportunity to revisit their cloud strategy.

What happens next?
Safe Harbour was designed to streamline the process of data transfers between the EU and US, enabling American companies to comply with the EU Directive 95/46/EC on data protection, and thus legally store EU citizens’ data in US data centres. But then last year German Facebook user Max Schrems questioned whether his social networking data might be at risk from NSA spies – violating the fundamental EU right to data protection. The European Court of Justice agreed and Safe Harbour was effectively scrapped.

Here are some top tips on what to do next:

  • Take stock of your current situation. What customer data do you hold? What is being transferred outside the EU? Where is it going? And what are you doing to secure it? Check these arrangements against the advice from UK privacy regulator the Information Commissioner’s Office (ICO).
  • If possible, renegotiate your agreement to ensure your CSP stores customer data only in its European data centres.
  • Tokenisation of data should be a goal to work towards. It replaces sensitive data with unique identifiers, minimising the exposure of that data in at-risk environments. As such, it could help firms reduce the risk of data loss in light of the Safe Harbour ruling.
  • Strong encryption is another tried and tested way to keep data safe from the prying eyes of hackers. It needs to happen at rest, in transit and in use.
  • If you’re choosing a new cloud provider, be sure to spend a serious amount of time on due diligence. In a post-Safe Harbour world, where your CSP stores – and how it secures – your data is more important than ever.
  • If your company regularly uses and/or shares customer data, take best practise steps to anonymise that data.


Building the next-gen data centre

Where traditional and web-scale apps co-exist