One of the riskiest moves in shifting to the cloud is choosing a company to provide your managed cloud hosting services.
Depending on what type of cloud hosting and data storage you choose, your data could be stored on servers in another country.
There are several risks in housing your data in an unknown location:
If you are an Alberta-based business with compliance requirements you must meet, this guide will help you understand Canadian Data Residency and how you can meet residency requirements, move your data to the cloud, and benefit from cost-effective risk mitigation.
Canada Privacy Act
Email encryption, worrying about data storage, or storing data outside of business walls were matters of little or no concern when every company kept paper files in locked cabinets.
Canada has been regulating the management of personal information privacy for almost 35 years, ever since the Government of Canada enacted the Privacy Act in 1983.
This Act applied to departments within the Government of Canada as well as each provincial government system.
Twenty years later, in order to address the privacy issues that accompanied the development of online commerce, the 1983 requirements were broadened to include private sector organizations that electronically maintain personal information.
Data Residency Laws in Canada
Canadian data residency requirements were initially developed to address Canadian government agencies shifting to the cloud as part of the cloud-first adoption strategy.
The government established this cloud-first strategy in recognition that the private industry needs to:
- Deliver services at the same speed and ease, and
- Ensure the personal data they processed and stored was as protected as possible.
However, further risks associated with storing data in the cloud outside of the country, even in the US, were identified. Subsequently, the government developed measures to address how and where data could be stored through Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Alberta’s and British Columbia’s version of PIPEDA is the Personal Information Protection Act (PIPA). Other regulations addressing data privacy that may impact your business include:
What Is PIPEDA?
These new parameters were established in 2004 under the Personal Information Protection and Electronic Documents Act (PIPEDA), requiring providers to alert the OPC and all affected Canadian consumers when there is a data breach.
PIPEDA originally applied only to the federally regulated private sector.
For example, banks, airlines, and telecommunications companies were required to follow the guidelines, but businesses, such as retailers, were not subject to its conditions.
More recently, PIPEDA was amended to include provincially regulated organizations, such as many businesses within the retail sector, service industries, manufacturing, and more.
However, the requirements do not apply to personal employee information; rather, they apply strictly to personal consumer information.
On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), thereby amending PIPEDA.
There are numerous additional requirements within the DPA, but we place an emphasis on the stipulation that Canadian citizens’ digital information stored within Canadian borders can only be distributed by means of email encryption systems.
Data Residency Requirements for Canadian Businesses
While PIPEDA does not mandate that companies keep their data within Canadian borders, it does specify how Canadian citizens’ information can be stored.
Businesses are held responsible for the data they collect, process, transfer, and store. Additionally, they are mandated to provide protection of that data at all times.
Because the laws are different in countries outside of Canada, protecting data during transmission and storage to a foreign cloud server puts your business at risk. The rules are even stricter for certain industries, such as the financial sector.
In addition, businesses that have customers in the EU or California may also be subject to additional privacy regulations from the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Achieving Data Residency in the Cloud
Microsoft Azure includes a strong email encryption system and is now available through local datacenter regions in Toronto and Québec City.
Furthermore, Microsoft 365 has the capability of providing in-country data residency.
Thus, The ITeam can offer a combination of 365 and Azure that meets the encryption and data residency requirements of the DPA.
The following is a brief Q&A regarding some of the central issues involved in DPA cloud compliance:
Azure Data Residency Key Questions and Answers
Does any encrypted document ever reside on US or foreign soil?
No. If you use a Canadian billing address for your data, Microsoft 365 and Azure cloud services will be hosted automatically in a Canadian data center.
Does Azure store all information in Canada?
Yes. Microsoft hosts data based on geographic location, so all information remains in Canada. More specifically, as described above, the data is stored regionally in Toronto and Québec City.
What are the most important elements of encryption?
Regulated data is encrypted both while it is “at rest” and while it is being transmitted between a data center and a user. The level and type of encryption used to protect files and emails can be customized by end users and administrators. This allows maximum data security and management flexibility.
How is in-country data centre integrity ensured?
Microsoft Azure uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East, and Africa), and Asia, so security keys can be used only in the region of residency.
Is data ownership and control compromised in any way?
No. Both Microsoft 365 and Microsoft Azure leave data ownership and control in the hands of individual organizations. Neither data ownership nor data control is ever compromised.
Microsoft Azure provides organizations with a reliable, scalable, and secure infrastructure environment, allowing organizations to improve customer experience, drive innovation, and manage costs. With the availability of Canada-based data cloud services and storage, it is worth considering shifting your organization to the cloud and evaluating solutions like Microsoft Azure.
Do You Know Where Your Data Is?
The days of keeping records in file cabinets where you can simply open a drawer and retrieve what you need are long gone.
Most of that information is now stored electronically. But if you’re storing your data in the cloud, you need to know two things:
- Where is it being stored?
- How quickly can you gain access to it if you need it?
When you choose to partner with The ITeam, you not only gain cost-effective, secure cloud storage and hosting but peace of mind. Your data is stored locally, in Alberta, never leaving the country even during transmittal. And when you need it, you can access it quickly. This means:
The ITeam is a Microsoft Certified Partner committed to helping Calgary- and Alberta-based businesses develop proactive IT strategies that keep them competitive.