Data residency laws require that certain types of sensitive data be stored “at-rest” in a specific physical or geographic location. With the EU’s General Data Protection Regulation (GDPR) coming into effect on May 25th, 2018, an inability to meet residency requirements could be costly; the current iteration of the regulation allows for fines up to €20 million for non-compliance.
This is a major issue for companies tasked with sorting out different compliance guidelines for different regions. Consider that a recent McAfee survey on data protection found:
Only 47% of organizations know where their data is stored at all times. The majority are unsure, at least some of the time.
Nearly half (48%) of organizations will migrate their data to a new location because of regulations like GDPR.
As international firms respond, those that created siloed applications across regions are looking at duplications in infrastructure that are complex, costly, and make global integration of data and auditing difficult.
Microsoft’s answer? Office 365 Multi-Geo, which allows companies to consolidate their regional and siloed cloud data into a single Office 365 Multi-Geo tenant, facilitating the ability to meet data residency requirements while also making global integration of regional data possible. Slated to become generally available in 2018, Multi-Geo capabilities are designed to help mitigate the potential risks and expenses associated with non-compliance and housing data in disparate locations.
How does it work?
The Multi-Geo configuration consists of one central site with satellite geo locations as opposed to multi-home data, which spans across multiple Office 365 datacenter regions. Information about geo locations, groups, and user information is centrally located in Azure Active Directory, which allows for collaboration, reporting and other experiences to seamlessly incorporate data from all regions.
Search, auditing, and delve all return data from across regions and indicate the location of data items, which improves the global user experience and allows for corporate governance of data by location. The configuration is secure, with specific sharing and data loss prevention policies by location, further enhancing an organization’s ability to meet regulatory requirements. The inclusion of PowerShell tools also allows for the easy transfer of existing users and content into newly assigned geographies.
Why does it matter?
The EU’s GDPR is a prime example of why companies need to identify solutions that will help them operate with confidence in their cross-border data systems. The pending requirements are a crucial update, yet significant confusion remains about which elements of GDPR will be emphasized and what penalties will realistically be incurred.
In fact, CSO Online wrote that when it comes to compliance and security, “a recent study from WatchGuard revealed that one in three global organizations weren’t sure if they needed to comply with GDPR, while similar studies have indicated that numerous U.S. firms think the regulation wouldn’t affect them (it does if processing EU personal data).”
Pharma is one of several industries that will likely feel the effects of GDPR. Multi-national pharmas maintain sensitive information related to research, clinical study results, and personal medical history. Having a clear understanding of where the data is stored is important for meeting privacy regulations and keeping foreign countries from subpoenaing data. Indeed, there have been cases in which U.S. law enforcement and intelligence agencies have had access to European data files, despite apparently strong protection laws – simply because data was in cloud storage.
If a pharma company is unaware of the physical location of data stored in the cloud, it is hamstrung in addressing the complex laws that govern the data in any jurisdiction in which it resides. This issue is magnified for multinational pharmaceuticals, which must also comply with the EU Safe Harbor and US Patriot Act, restricting data residency. Indeed, this is why Novartis (a trial customer cited by Microsoft) embraced Multi-Geo.
Is Office 365 Multi-Geo the right fit for my organization?
Preview customers have reported that Multi-Geo is not cheap. However, this may be due to the immaturity of the service. We believe pricing is likely to evolve as Multi-Geo becomes more generally available.
It is also important to note that Microsoft recommends against expecting that Multi-Geo will solve network performance issues, and that tenants with poor network performance are advised to look at how traffic is routed from workstations to Office 365.
Available services for Multi-Geo include Exchange Online and OneDrive for Business, while SharePoint Online is in development.
Will Multi-Geo help your company? There are a variety of factors that you’ll need to consider, from knowing your current data locations to understanding regulatory exposure to deciding how data will be handled going forward. We keep these issues top of mind, and will be watching the compliance landscape as we head in 2018.