There is no denying that the future of cloud is not just with a single provider, capable as Azure, AWS and the other public providers are. For true data protection, your information needs to be in three separate locations, and with the rise of data sovereignty, there is a need for data to be kept within the boundaries of a nation-state. GDPR will place other obligations on companies and their data compliance. Smaller countries will suffer more than larger ones, with their multiple regions and zones per country per cloud provider. Smaller countries like the UK will have problems, as a single provider will not have three regions for true resiliency. Microsoft, for example, will have two regions in the UK for Azure (London and Cardiff) and two for Office 365 (Durham and London). Amazon will only have a single AWS zone: London. (Europe retains Frankfurt, Ireland, and Paris.) The other public cloud providers do not fare much better. Post-GDPR, data sovereignty will be front and center. So, what exactly can you do if you want, need, or desire to be totally in the public cloud: sell your customers in Europe and the world and not fall foul of transnational data-protection laws? A multicloud may be the answer.

Stick figure face in top hat with four arms holding logos for various web services
MultiCloud Puppet Master

Let’s look quickly at the main market providers: India, China, and the US. How they can remain compliant?

There are two options, but both would most likely require reengineering a CRM to split EU and non-EU (and UK PII post-Brexit) into separate customer tables. This sounds fairly simple, but consider this. Both the EU regulation and the forthcoming UK law stipulate that the law applies to their citizens, no matter where they are residing. That, means that my family, which currently lives in Australia, is covered. There will have to be a data cleansing to either expunge legacy customers (something sales teams are very reluctant to do) or a data manipulation to add a new field to the tables denoting citizenship. These are not insignificant tasks. Alternatively, a company could chose to draw a line in the sand, treat preregulation data as ring fenced, and move forward with a new system that adds the necessary identifier. (This option is fraught with difficulties, especially with regard to the aging nature and the right-to-forget principle.)

Now, for the larger markets mentioned above, keeping this data in your market is a trivial task. These markets have multiple options for the majority of cloud providers. As an aside, remember your obligation to have a presence in Europe if you trade in Europe. This does not need to be a corporate presence, but there is a requirement for a representative (lawyer, accountant—there are many companies offering this service in Europe).

How do the smaller markets handle this and retain three data locations for protection?

  • Splitting their data into geographical regions—unsustainable, especially for a smaller enterprise.
  • Staying on-site with their own equipment and software—possible, but the premise of this article is they wish to be totally in the cloud.
  • Splitting data across multiple public clouds—this is the best option, but it entails learning multiple user interfaces and differing lexicons for what is essentially the same thing.

What can the smaller enterprise or a geostatic corporation in a smaller country do to aid in data sovereignty?

Larger entities have programs like RightScale Cloud Management, Scalr, and Cloudyn, to name a few, to manage, automate, and orchestrate your data. They also do a very good job of cross-cloud/hypervisor functionality and file synchronization across blobs.

But what about those entities that do not have equally deep pockets or the technical ability? Here we have MultiCloud, which can manage the movement of your data across clouds, be that synchronizing across Dropbox, OneDrive, and Box or across AWS, Azure, and GCP storage.

Multicloud is now a real thing. All companies, large or small, need a strategy on how to deal with it, as even the largest of public cloud providers can’t guarantee data sovereignty for the vast majority of countries. GDPR is only one reason you should care.