All companies face challenges in managing and protecting their data. For organizations in the public sector there are numerous layers of complexity to consider, not least the regulatory requirements with the GDPR. The influence of the U.S. CLOUD Act together with other legislation, such as US Foreign Intelligence and Surveillance Act (FISA) add additional layers that need to be handled.
New challenges for digitalization in Sweden
Thom Thavenius at Zebware is responsible for leading and developing the offer aimed at the public sector. In recent years, he has noticed a clear hesitation in the use of cloud-based capabilities in public sector organizations. Sweden's public sector has been a world leader in digitalization, but new regulatory requirements are causing new challenges. The effects of GDPR and the Swedish Public Access to information and Secrecy Act (OSL), have added restrains on using public cloud services in general. Above all, issues raised on whether organizations can use US Cloud Service Providers, such as AWS, Azure, and Google due to the US CLOUD Act, have caused digitalization investments to come to a halt in some cases.
- The IT landscape has become difficult and complex to interpret from a legal point of view. The requirements for data compliance have increasingly become a challenge for both the private and public sectors, Thom explains.
Efficiency vs. GDPR and CLOUD Act
Compliance issues for data storage and management are complex and multifaceted. Sweden's public sector consists of approximately 650 organizations where everyone, regardless of size, manages and is responsible for protecting personal data and sensitive information from a variety of sources. Simplified, responsibility can be divided into two parts. The first part concerns the aspect of integrity in that those who manage the data must maintain full ownership and control over it. The second part is to ensure that data does not end up in the wrong hands or is exposed to other legislative bodies. According to both GDPR and OSL, organizations that store and manage personal data are responsible at every stage, at all times. Responsibility cannot be outsourced. Despite the benefits of moving applications and data to the cloud, many public sector organizations are being hindered by security and safety directives.
- All cloud providers have built-in redundancy and backup at their data centers to ensure reliable service. This means that your data can end up in data centers and on backups that you don't have full control over, which in some cases is required by law.
Security and control are further reduced if a cloud provider chooses to move data between their data centers to optimize access and resource usage. There are often time clauses in the user agreement stipulating that data that is not used for a long time can be moved between data centers. Shifting data to another country or region can make it subject to that country's data laws, yet again beyond the data owners’ control.
- Your data does not even have to leave Sweden to be affected by the CLOUD Act or other equivalent legislation. It is enough that the cloud supplier is an American company to enable American law enforcement or security services to request and gain access to your data. In such a situation, it is the cloud provider who has the mandate to decide whether to comply or not, not the data owner. This causes a legal conflict for the public sector.
Take control of your data
How can an organization take control of its data? Thom provides a step-by-step action plan to help organizations take big leaps toward becoming compliant and securely manage their data.
- Establish the current state and situational awareness of safety and regulatory compliance in both data storage and data processing.
- Perform a risk analysis. Assess the risk in which context data will be managed. There are guidelines and tutorials set by national agencies’ (Swedish MSB and Säpo) that you can use.
- Establish a desired state, focusing on security, compliance, integrity, accessibility and traceability. The gap between the current state and the desired state will most likely show where there are weaknesses in your data management strategy.
- Evaluate how third-party solutions can improve the information architecture. Make sure that you, as a data owner, with the help of third-party solutions retain full control over where your data is stored and how it is handled.
- Develop an action plan. The gap between the current state and the desired position is also likely to provide insights into measures that with small resources can have significant effects.
- Establish a long-term action plan. What is your organization’s long-term strategy? How is your information and data facilitation architecture structured to support that strategy? What needs to be addressed in the long term to make your data accessible, secure, safe and intact?
Zebware has the tools to give you full control over your data. The Orchesto data management solution is designed to allow you to fully seize the opportunities of cloud-native capabilities, and hybrid cloud infrastructure in terms of agility, safety and compliance.