Where your data is stored
Managed hosting or cloud hosting providers may sometimes seek to store your data or manage your service in multiple locations, including outside of the UK. When this happens, it is important you know where your data is stored and from where it may be accessed.
Some governments mandate easy access to privately held information in data centres within their countries. Here are two examples:
Russia’s System of Operative Search Measures (SORM) allows Russia’s domestic intelligence agency, the Federal Security Service (FSB), to covertly monitor communications to, within, and out of Russia. The FSB can also compel companies and individuals to share data stored in Russia with them and could prevent the data holder from disclosing this to the data owner. All communication service providers (CSPs) operating in Russia are obliged to install equipment to enable the FSB to monitor communications. The FSB is not obliged to provide CSPs or commercial companies with any details of their monitoring by SORM. This may mean that you are unaware of how your sensitive communications and information may be used in Russia or with Russian individuals and companies.
China’s National Intelligence Law (NIL) allows Chinese intelligence agencies to compel Chinese organisations and individuals to carry out work on their behalf and provide support, assistance and co-operation on request. This law may affect the level of control you have over your information and assets as you engage with Chinese individuals and organisations, especially if you work in an area that is of interest to the Chinese state, even if your data is hosted outside mainland China.
Where your data is accessed
Once you are confident that where your data is stored is consistent with your risk appetite, you need to apply the same principles to where your data is accessed. For example, if you use a follow-the-sun business model – whereby services or administration of your systems take place remotely by employees or contractors based overseas – local laws will still apply and may introduce further risks.
UK GDPR considerations
The UK General Data Protection Regulation (GDPR) sets out key principles which data controllers and data processors must comply with when processing personal data, including restrictions on personal data being transferred out of the UK unless the jurisdiction has adequate levels of data protection or there are appropriate safeguards in place. Failure to comply with the principles of the UK GDPR can result in substantial fines – up to 4% of your company’s total worldwide annual turnover, or up to £17.5 million (whichever is higher) in the most serious cases, as well as potentially damaging your reputation.
If you think you may need to transfer personal data internationally, or that personal data may be transferred between UK and non-UK data centres, make sure to check the latest ICO guidelines on how to do so legally and securely before you do.
Depending on the sensitivity of your data, or your obligations under UK GDPR, you may wish to ensure that at a contractual level with your provider, your data is only ever stored within an agreed jurisdiction (for example, countries that form part of the data adequacy whitelist) to mitigate any risk.
Ownership security considerations and foreign direct investments
The ownership of the data centre, or who the centre could potentially be owned by, can put your sensitive or business-critical information at risk.
If a data centre you use is open to foreign direct investment (FDI), shareholders from a country hostile to the UK may be able to gain greater influence over operational decisions, including security-related ones. This may increase the risk posed to your infrastructure and/or data should shareholders be linked to or pressured by their domestic government, which may be hostile to UK interests.
To prevent this:
- Conduct your own due diligence - Be sure to conduct appropriate due diligence on who is invested in the data centres you use and consider their geography and ownership.
- Create contractual agreements - You should consider contractual clauses that could ensure that your data will remain in the UK, regardless of who takes ownership of the data centre, and that you are forewarned of any FDI or ownership changes that happen after you sign your contract. You may also want to consider adding a clause that allows contracts to be cancelled early in the event of any change in ownership.
- Contractual clauses can used to ensure you are notified, and possibly required to approve, any changes to IT or Operation Technology (OT) networks or security systems. These clauses can not only be applied to changes in hardware, but also changes to security policies and procedures, as well as use of subcontractors. This helps ensure that transfers of ownership do not result in changes to the data centre that has a detrimentally impact on your equities.
CPNI, the NCSC and the Department for Business, Energy and Industrial Strategy (BEIS), have produced joint guidance on making informed decisions with regards to foreign investment and how this will work under the new National Security and Investments Act compliance regime.