We talk about the possible impacts on compliance of geo-political instability, such as the sudden imposition of sanctions or even the destruction of physical infrastructure in China.
Also, Gorge talks about possible ways to mitigate the effects of geo-political instability on multi-regional data retention that centre on auditing data storage, the flows of data between datacentres, clouds and countries, and making plans to relocate data should the worst happen.
Antony Adshead: What are the risks to storage and compliance in the current geo-political climate?
Mathieu Gorge: What’s happening right now is that we’re seeing a lot of organisations looking at geo-political risks in much more detail.
I often talk about four main bubbles of risks for an organisation.
The first is geo-political risk. The next is financial and contractual and management of third parties. The next one is around brand and reputation and about managing your overall reputation globally. And then finally, it’s all about the actual cyber security risks and IT and disaster recovery.
So, in the light of what’s happening currently with the invasion of Ukraine by Russia, we’ve seen the impact that geo-political risks can have on data.
A very easy example of that is if you’ve got clients in Russia and you’re trying to do business, trying to invoice them for software subscription or you’re trying to send data over, you might actually be in breach of current sanctions.
If you’ve got a business in Russia and you have no physical access, you may never be able to get the hard drives or servers you have over there. And getting access to data that’s on servers based in Russia for now is still OK. The Russian government hasn’t actually stopped that, but at any stage that could happen.
Equally, if you had a cloud provider or a cloud instance that was based in Ukraine, the harsh reality is that it might actually be gone.
So, that impact is substantial and I think that organisations are trying to see if they have data, not just in Russia or Ukraine, but in other jurisdictions where things are politically tense because that geo-political climate may end up being a time bomb for access and control of the data and also because it might put you out of compliance because you have contravened sanctions that have been imposed.
Adshead: What can organisations do to mitigate these kinds of geo-political risks to storage and compliance?
Gorge: The first thing is to know where your data is, the overall ecosystem of your data. So, do you have data, generally speaking, split between different countries – as large organisations would have – with one country acting as a backup or disaster recovery site for the other? That, generally speaking, is best practice.
However, what we recommend you do right now is have a look at the various countries where you have data, download some country risk reports to try to understand the geo-political climate and try to minimise the impact of the crisis on your data.
So, in order to do that, you need to map out the flow of data in and out of the different areas of your ecosystem, you need to ensure you understand local data protection regulation, understand if the data is backed up somewhere else. And, of course, you need to make sure that the data is up to date and accurate on the live systems and also on the backups.
Once you’ve done that, you may decide to re-locate some of the data to more stable areas. As we are all connected, it’s very hard to know where stability is. Right now, generally speaking, you can say that the western world is probably a bit more stable, but it’s completely dependent on what’s happening in the rest of the world.
So, you need to weigh the pros and cons of having data in one single area, which I wouldn’t recommend. But also weigh the risks of having data in some countries that might be at risk.
And the reality is that for your business, you might have no choice to have data in those areas. For instance, if you want to do business in China, most of the time, with very few exceptions, you’re going to need to host that data in China.
So, you need to understand the ramifications of maybe one day that data not being available to you – what’s the impact going to be on your business, on data protection, on compliance for the whole organisation?
[You should] perform a risk assessment, look at the likelihood and potential impact and try to essentially mitigate that risk and reduce your exposure.
I would highly recommend that folks do an overall review of the data flow and of their data ecosystem, keeping in mind the current geo-political climate that is changing nearly every day.