The invalidation of Privacy Shield has raised many questions among Swedish companies regarding how to handle current and future storage of personal data in the cloud. That is why we have asked our cloud expert Victor Souza five questions, which provide concrete tips on how you, as the person responsible for IT architecture, should act.
What problems do Swedish companies face now that Privacy Shield has been invalidated?
– The biggest problem right now is the legal aspects. Since GDPR is a binding law for all EU companies, you risk violating the law if you store personal data in American cloud services now that Privacy Shield is no longer available as a certificate of approved protection level. This, in turn, can have serious financial consequences in the form of fines.
How should companies that began their cloud journey before Privacy Shield was invalidated proceed?
– At present, the only mechanism that can be used to regulate the transfer of data from the EU to the US is an older mechanism called SCC (Standard Contractual Clauses). So, in the short term, you should first and foremost conduct a thorough review of where you currently store personal data, which companies have access to that data, and then ensure that they are covered by an SCC. In the long term, you should consider how you can find a more sustainable solution for your data storage. You need to take into account that the legal power struggle between the US and the EU is unlikely to end in the next few years.
What is your recommendation to companies planning to begin their cloud journey in the next six months?
– The simplest answer is: keep everything related to personal data within the EU. That way, you can be sure you have the highest level of protection. Then draw up a well-thought-out set of requirements, where the cloud provider's geographical location within the EU should be the first qualification. Bear in mind that it is the company's domicile that matters, not the location of the data centre. You can then set requirements for security level, encryption options, algorithm strength, confidentiality management, etc.
How should one approach cloud mix – which data should be stored where in order to achieve a technically sound solution while complying with current regulations?
From a security and personal data management perspective, it is best to use a cloud service provider based in the EU. Beyond that, it depends somewhat on the amount of internal resources and expertise available. If you are able to handle complexity, we recommend utilising different cloud services based on their strengths, known as hybrid cloud services. There are many providers on the market, all of which have areas they are good at and areas they are less good at. You get the best mix by choosing a cloud service and provider based on the specific task to be solved. If you are a smaller company with fewer internal resources, I would recommend gathering all data in one place as far as possible. This avoids complexity.
Finally, what are your top three tips for a successful cloud strategy?
– The first tip is to think long term. When it comes to storage, keep in mind that the Cloud Act is still in force in the US and that their policies will continue to lean more towards mass surveillance than data integrity. So you need to be a little smart there! Tip two is to sketch out a solid architecture. Get help from your IT department or a cloud expert who has completed previous cloud journeys to figure out, for example, how many layers you need, what data should be stored where, what your performance and security requirements are, etc. This will give you a good and clear picture of what you want to achieve! My third tip is not to throw everything into the cloud at once. Take it one step at a time. Start by moving the easiest parts to get some quick wins to show within the organisation. Then move on to the parts that are a little more difficult and have greater performance requirements. These are often things that need to be handled in real time, such as streaming, image or data processing. Save this for last!
