The physical location of data will become increasingly irrelevant in the post-Snowden era, according to Gartner.
A Gartner report found the physical location of data still mattered, but would become increasingly irrelevant.
It will be replaced by a combination of legal location, political location and logical location in most organisations by 2020.
Many IT professionals are not even aware of the concept of legal location.
The legal location is determined by the legal entity that controls the data (the organisation), according to Gartner.
There could be another legal entity that processes the data on behalf of the first entity (such as an IT service provider) and a third legal entity that supports the second one in that endeavour (possibly a captive datacentre in India).
The political location takes in considerations such as law enforcement access requests, and use of inexpensive labour in other countries.
It also includes questions of whether international political balance are more important for public sector entities, non-governmental organisations (NGOs), companies that serve millions of consumers or those whose reputation is already tainted, the report said.
The logical location is emerging as the most likely solution for international data processing arrangements and is determined by who has access to the data, according to Gartner.
For example, a German company signs a contract with the Irish subsidiary of a U.S. Cloud provider, fully aware that a backup of all data is physically stored in a datacentre in India. While the legal location of the provider would be Ireland, the political location would be the U.S. and the physical location would be India, logically, all data could still be in Germany.
But for that to happen, all data in transit and all data at rest (in India) would have to be defensibly encrypted, with keys residing in Germany.
Gartner research vice president, Carsten Casper, said that the number of data residency and data sovereignty discussions had soared in the past 12 months, stalling technology innovation in many organisations.
Triggered by the dominance of US providers on the Internet and the Patriot Act, the perceived conflict was then fuelled by revelations of unexpected surveillance by the National Security Agency made public by Edward Snowden.
“IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public, he said.
“Business leaders must make the decision and accept the residual risk, balancing different types of risk: ongoing legal uncertainty, fines or public outrage, employee dissatisfaction or losing market share due to a lack of innovation, or overspending on redundant or outdated IT.”
Historically, people equated physical proximity with physical control over data and security.
Casper said none of the types of data location solved the data residency problem alone.
“The future will be hybrid — organisations will be using multiple locations with multiple service delivery models," he said.
"IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO.”