What Cloud Localization Means for Organizations

India Cloud, China Cloud, U.K. Cloud, and U.S. Cloud — it may not be long before we are talking about country-specific cloud technology. Until now, the spotlight has been on cloud providers — Microsoft, IBM, Amazon, Google, Alibaba — and their generic and industry-specific capabilities. Data localization has often been considered an afterthought, but this issue is one that enterprises must consider in their cloud computing strategy as they invest and innovate with emerging technologies such as artificial intelligence, internet of things (IoT), and blockchain. As governments around the world begin mandating data localization laws, organizations will need to address the wide-ranging implications in strategic ways as part of their national cyber policies.

Recently passed regulations in the European Union around data privacy, such as the General Data Protection Regulation 2016/679 (GDPR), have pushed cloud providers and enterprises to implement data storage in local servers and encryption requirements in their products and services. Outside of Europe, especially in Asia (with the noted exception of China, which has rigid localization laws), data localization has mostly been a passive issue. With India’s recent aggressive push to pass data localization laws, it’s just a matter of time before other emerging economies accelerate similar policy measures, as data and cyberspace become the next frontiers of innovation, competitiveness, trade, and foreign policy levers among nations.

Democratically elected governments around the world will be abdicating their responsibility if they don’t have control over the data originating within their sovereign borders to address problems of national interests and crime. Recently, when the government of India circulated a policy document that described its plans to mandate that cloud providers and multinational companies operating in India store data generated from transactions and interactions with its citizens in locally hosted servers, the reaction from the global companies and cloud providers was collective criticism and backlash. The policy was criticized as a barrier to global trade and innovation. However, recent noteworthy data breach events, whether Cambridge Analytica, Wikileaks, or even the continued spreading of fake news on social media platforms, have raised the call for firmer policies around data protection. The remaining question may be where the line of privacy and localization should be drawn for governments, organizations, and consumers.

In an effort to future-proof against possible localization outcomes, there are five focus areas that global organizations should address when assessing their enterprise cloud strategy:

1. Industry and global context. Companies should assess cloud vendors based on a set of business and technical dimensions on their industry and global context. Organizations are increasingly considering global, multi-cloud strategies due to conflict of interests, privacy concerns, country-specific capabilities, and cost leverage. For example, the retail and consumer goods industry has become increasingly uneasy with Amazon Web Services (AWS) due to concerns over competitive advantage.
2. Global IT governance. The IT operating model will become more decentralized and complex across the global landscape. This will require the right organizational structure, autonomy, and tighter coordination through a global operating council of technology leaders. At PwC, the global council of technology leaders meets at least once per quarter every year to share lessons learned, leading practices, and reusable assets to tackle digital challenges.
3. Global interoperability and reusability. Cloud computing standards should not be designed as “one size fits all” but rather as a tiered approach where global, regional, and local templates, software code, and algorithms can be applied based on country-specific regulations. For example, one might ask: What is required for an AI application deployed in the United States to be reused in a cloud environment in Europe or Asia with minimal changes?
4. Privacy and security standards. Keeping track of privacy and security rules at the country level and implementing controls on the cloud is an onerous task. Enterprises should institute a global privacy organization with autonomy at the country level to implement local privacy policies and templates on the cloud. Facebook was recently fined by the European Union over privacy violations and has taken steps to build a dedicated privacy organization and automate privacy controls.
5. Data access controls. Global cloud applications need appropriate security controls and audit logs to track data access patterns as data storage, computing, and consumption shift from a shared global instance to a local mode. As data becomes more of a monetization asset, the risk becomes whether it might end up in the wrong hands by theft and misuse.

This new era of data localization regulations will also affect cloud providers and impose margin pressures on their business as they ramp up their capital spending to develop new cloud infrastructures within each country and deploy local services and personnel to comply with new regulations. This will, in turn, have a ripple effect on global enterprises in terms of cost effectiveness, quality of service, and innovation as they leverage cloud platforms.

As equally affected stakeholders, global enterprise, digital transformation, and cloud business leaders should work together with local governments and technology councils in their regions to educate and influence commonsense cyber policies and laws. In the future, it will continue to be crucial that regulations protect user privacy but also support a global growth trajectory without hindering the momentum of the digital economy.