Outsourcing has been a common business strategy since the early 2000s, however, in an article published by Janice Wong of St Andrews University, she stated that individuals have become more cautious about data protection due to privacy scandals such as Cambridge Analytica, NHS England’s care.data, and intrusion of one’s private life*
There are several benefits to outsourcing data storage, including; reduced costs, saving on technology and overall infrastructure. Onshoring, Near-Shoring, and Off-Shoring are the three typical models used. All three come with risks to your data and are rooted in the way they are implemented.
On-shoring
On-Shoring is the process of outsourcing to a company that is local, usually in the same country. These companies work under the same laws and regulations as the data owner (Outsourcer). Any access to data by law enforcement must adhere to the same rules and laws that apply to the owner.
Near-shoring
Near-Shoring is the process of outsourcing to a company that is traditionally in a neighboring country.
Data protection is potentially based on regulations and laws which differ from those with which the owner needs to comply. Any access to data by law enforcement adheres to the local laws of the country in which the third-party vendor resides.
Off-shoring
Off-Shoring is fairly similar to that of Near-Shoring. It is the process of outsourcing to a company that is traditionally much further away, not directly part of the local geographic region, where the data was gathered. Again, these outsourcing companies must adhere to the laws of their country, rather than those of the data owner (Outsourcer). Any access to data by law enforcement adheres to the local laws, for the country in which the third-party vendor resides.
What should you consider when looking to outsource your data storage?
When choosing a method of data storage, whether onshore or off, the laws and regulations of the country you are outsourcing this to should be considered as there can be vast differences from one country to another. The overall safety of the data should be the main priority at all times.
Data protection misalignment
Any data that is handed over to an outsourced data storage provider potentially loses the data criticality level that the owner (data gatherer) has identified. A cloud hosting provider will classify your data as customer data, which needs to be protected based on its internal requirements. However, the data could potentially be highly critical to the day-to-day operations of the data owner, and would therefore warrant better protection.
Differences in time zone
With time zone differences of up to 12 hours, delays can be experienced when trying to access the data that you have stored off-shore. When deciding where your data is outsourced to, you should consider how frequently you need access to it, how easy it is to access and the reliability of the service you will be receiving, as a lack of control may have a detrimental effect on the running of your business.
Different business culture
The risk of misunderstandings and a potential misalignment with your company’s existing processes can arise depending on the outsourcing model the data storage company employs.
General offshoring carries the highest risk of such a misalignment, due to the differences in data protection laws from one country to another. A hard drive that contains sensitive data is normally wiped or destroyed when it is finished within countries such as the US, Canada and the UK. An offshore outsourced data storage provider, from countries with more lenient data protection laws, may reuse a hard drive in an attempt to cut costs. This would inevitably bring the risk of data contamination between multiple clients of the outsourcing company
Conclusion
Outsourcing is in general not a bad thing, however, it can come with inherent risks that an organization needs to be aware of when considering the different models available to them. A thorough check of the service reliability of each potential outsourcing partner, the laws that they adhere to, and repeated checks during the business relationship are advised.
If you would like any further help or advice regarding your company’s data, please fill out the form below and a member of our team will contact you.
*Janis Wong, Mitigating data protection harms by addressing the misalignment between data subject rights and the aggregation of derived data using technology and law