Project Description

Where is your data, and why should you (legally) care?

You’ve heard it before… data is gold, data is king, data is the new global currency, data is everything!

And it’s true, data is at the heart of your business and is critical to your operations. But as a NZ business if you collect and store (especially personal) data, the Privacy Act 2020 now places certain legal obligations to maintain the privacy of any individual’s data held.

Whilst the Privacy Act 2020 is generally considered to be a significantly “lighter” version of the more rigorous European Union’s GDPR (General Data Protection Regulation), many NZ organisations are only just beginning to appreciate that compliance with these legal obligations, is often not enough. Customers are now demanding greater transparency regarding where their data is stored, and who might have access to it.

Chris Thorpe – Cloud Services Development Manager

You have probably heard of the term data sovereignty… but what does it really mean to your business? As a NZ business, you are already familiar with the laws of our country, and you will have modelled your business practices within that framework. But having your data stored offshore adds an extra layer of complexity. This data will now be governed by laws that you are not familiar with, and potentially with very different privacy considerations than those outlined in the Privacy Act 2020. You may also have heard of the term data residency. This refers to the physical location where data is stored and is an important term for commercial and taxation purposes.

Understanding all of this can be complex, so let’s look at a common scenario:

You have decided to move some of your data offshore and have chosen a US-based provider who can deliver services out of Australia.  Your data is now resident in Australia and subject to Australian jurisdiction. But did you read the terms and conditions of the service provider carefully? Buried in the fine print, you find that you have also agreed that by using their services, you are now also subject to the laws of the state of Delaware.

To complicate matters further, US-based technology companies are also subject to the Clarifying Lawful Overseas Use of Data Act (the ‘CLOUD Act’). This means US authorities can access data held by these companies (regardless of where it is stored) for several reasons, including for the prevention of terrorism and cybercrime. In theory, this sharing of data would be subject to appropriate safeguards but whether that is the case in practice remains to be seen.

Trying to explain all of this to your customers and ensuring you are not liable if a data privacy breach occurs, becomes a minefield. By ensuring your data stays “in-country” with a service provider that is subject to NZ law, helps build customer trust and minimises compliance issues.

Whilst NZ service providers typically cannot compete on price with the global operators, what you should also consider is how expensive it is to get it wrong. If your data is hosted offshore, or hosted locally but subject to international laws, then you need to factor in compliance costs and the potential risks around unwanted access and control of your customers’ data.

CodeBlue is well placed to help guide you through these complexities. Beyond that, we can also offer NZ businesses a number of “sovereign cloud” services utilising our own infrastructure, backup and disaster recovery offerings. By subscribing to these services, you can rest assured that your data only resides in NZ, and only subject to NZ jurisdiction. Getting the right data protections in place is a smart investment