Where your data is stored
Some governments mandate easy access to privately held information in data centres within their countries. Here are two examples:
Russia’s System of Operative Search Measures (SORM) allows Russia’s domestic intelligence agency, the Federal Security Service (FSB), to covertly monitor communications to, within, and out of Russia. The FSB can also compel companies and individuals to share data stored in Russia with them and could prevent the data holder from disclosing this to the data owner. All communication service providers (CSPs) operating in Russia are obliged to install equipment to enable the FSB to monitor communications. The FSB is not obliged to provide CSPs or commercial companies with any details of their monitoring by SORM. This may mean that you are unaware of how your sensitive communications and information may be used outside your commercial engagements in Russia or with Russian individuals and companies.
China’s National Intelligence Law (NIL) allows Chinese intelligence agencies to compel Chinese organisations and individuals to carry out work on their behalf and provide support, assistance and co-operation on request. This law may affect the level of control you have over your information and assets as you engage with Chinese individuals and organisations.
UK GDPR considerations
The UK General Data Protection Regulation (GDPR) sets out key principles which data controllers and data processors must comply with when processing personal data, including restrictions on personal data being transferred out of the UK unless the jurisdiction has adequate levels of data protection or there are appropriate safeguards in place. Failure to comply with the principles of the UK GDPR can result in substantial fines – up to 4% of your company’s total worldwide annual turnover, or up to £17.5 million (whichever is higher) in the most serious cases, as well as potentially damaging your reputation.
Foreign direct investment
If a data centre is open to foreign direct investment (FDI), shareholders from a country hostile to the UK may be able to gain greater influence over operational decisions, including security-related ones. This may increase the risk posed to your infrastructure and/or data should shareholders be linked to or pressured by their domestic government, which may be hostile to UK interests. CPNI, the NCSC and the Department for Business, Energy and Industrial Strategy (BEIS) have produced joint guidance on making informed decisions with regards to foreign investment and how this will work under the new National Security and Investments Act compliance regime.