When is data best stored in the cloud? When is it best-stored on-premise?

There are some considerations when it comes to deciding where data must reside.

In general, organisations are inclined to store sensitive or personally identifiable information (PII), such as financial or customer data on-premises where they have complete control. This is especially true when access to the data is primarily sought by internal employees or contractors.

On the other hand, data that is used by external parties, such as business partners or vendors, can be stored externally in the cloud to improve access to information and cross-company collaboration. However, as new security tools and approaches become available, the decision to store information on-premises or in the cloud can come down to the availability and cost of storage. Many organisations today are rapidly moving data storage to the cloud to take advantage of the improved user experience and the significant cost savings that weren’t possible with traditional, on-premises storage solutions.

What are the legal issues around storing data, whether it is on-premise or in the cloud? What is the current situation in the UK?

In most respects, the legal issues around whether data is stored on-premises or in the cloud are similar. There are specific requirements that must be addressed in both cases, such as governing who has access to information, where it is physically stored – including country or region requirements – and whether it must be encrypted ‘at rest’ and ‘in transit’.

However, there are additional implications for data stored in the cloud. For instance, organisations must be ready to validate the security and data protection controls put in place by the third-party hosting the data. The organisation will be required to show that any sensitive data residing in the cloud is protected to the degree required by law, especially with GDPR just around the corner.

Another important legal aspect of storing data in the cloud is drafting the appropriate security requirements and service level agreements with third party cloud vendors. It’s important all parties understand and agree to the specific safeguards which will be used and how the third-party will respond if any inappropriate activity is detected.  

How will things change when it comes to data storage on the cloud/on-premise when GDPR comes into force?

Specifically, with GDPR on the horizon, many organisations will require a considerable shift in their thinking and their IT business support systems as the focus on the protection of personally identifiable information (PII) is magnified.

The number one issue for organisations will be accurately identifying where PII data is stored. Once an organisation has a handle on the location of data, it can implement the required legal oversight and controls for each location, or move the data to a location that meets the minimum requirements for GDPR.

Embedding privacy early in the design process of systems ensures a holistic view of data Click to Tweet

GDPR legislation specifically introduces the idea of ‘privacy by design’ which means all new cloud and on-premises systems must be architected to ensure private and personal data compliance at the start and end of all business or service process.

Embedding privacy early on in the design process of systems ensures enterprises have a holistic view of what data they have, its availability, who can process it and who has access to it.  This means governing access in a sustainable, consistent and auditable way.

The reality is, privacy by design and securing PII is no longer merely a desire but is set to become a legal mandate.

It’s critical that any business subject to GDPR takes steps to understand the legal issues around storing data and how to implement the relevant controls and best support its obligations. Failure to do so will result in heavy financial fines and put the organisation’s reputation at risk in the longer term.

What are the drivers for putting data either in the cloud or on-premise?

The main drivers are the availability of the data, storage costs and security. Understanding the trade-offs between these three areas is how the organisation will ultimately decide where data can and should be stored.

What is likely to change in the next 12-18 months concerning data storage for organisations? What should be on their radar and why?

Over the next few years, more organisations will look at cloud-based storage options – that’s a given. As cloud solutions seek to address security permutations, enhance productivity gains and save on the corporate wallet, organisations will begin to seriously consider migrating data to this platform as the benefits significantly outweigh the risks.

Transition to cloud-based applications and business productivity platforms such as Office365 are also driving this transition. As more and more data starts out in the cloud, leveraging cloud-based storage solutions tied to these applications and platforms will become the default option for many organisations moving forward.