where-is-our-data-stored Big Data

Where is our Data Stored: Law and Cyber Security

19/11/19 5 min. read

Every time we interact on the Internet we are generating loads of data: when you purchase, take photos or videos and upload them to Dropbox or similar servers. When posting things on Facebook, Instagram or Twitter or when using the Cloud (OneDrive, Google Drive, etc.). When you use your email accounts and obviously when you move around with your smartphone location tracking your movements or measuring your activity in a Fit app.

Many of the above are personal data:

  • Protected: ideology, religion, biometric data
  • Identification: name, address, identity document, phone number
  • Personal: marital status, age, gender
  • Social: family situation, assets, hobbies
  • Economic-financial: card numbers, accounts

Do we know where all this data is stored? Is it regulated in any way? Is your data safe?

Where is our data physically stored

data center - where is our data

An initial distinction can be drawn depending where the data is physically stored. If it is stored in the organisation’s own systems it is known as On-Premises data.  On the other hand, if it is stored with a service provider it will be located on the Cloud.


This is data stored by the organisations responsible for managing the data in physical systems located on their Data Centers. This requires the organisation to have in-house servers, software licences, qualified IT personnel and system maintenance and updates.

This option is ideal for storing sensitive user data or where required by the regulations.


Gartner predicts that by the 2025, 80% of enterprises will shut down their traditional Data Centers and also that Data Center is almost dead. Furthermore, according to the latest report by Canalys, in 2018 spending in the worldwide cloud infrastructure market grew by 46.5%. This means that more and more businesses are considering the option of moving their systems, and therefore their data, to the cloud.

Cloud service providers usually offer:

  • Storage of data in Data Centers
  • Hardware and software maintenance and uploads.
  • Guaranteed high availability rates of up to 99.99%
  • Scalability to assume any peaks in demand
  • Replication of data in different regions to avoid any loss in the event of a disaster. The regions are series of data centers connected via a dedicated low-latency network (optimized to process high volumes of data with minimal delay). At the same time, these regions have different availability zones (normally three for each region), physically separated locations consisting of one or various data centers connected with high bandwidth low-latency networks.

Microsoft Azure has 54 regions, Amazon 22 and Google 19. Amazon recently announced that it will be opening a new region in Aragon, Spain, in late 2022 or early 2023.

What law regulates our data and the right we have over them

GDPR for Europe

There are countries where data is regulated by laws governing their protection and use. In the Euro zone we have the General Data Protection Regulation (GDPR), which regulates the processing of personal data by individuals, businesses and organisations in the European Union (EU).

? A couple of month ago also came into force and applies accross the EU the law PSD2: what is it and how it affect you?

INE recopilara los datos de localizacion anonimos

There are no borders on the Internet… be aware where you give your data

It is very important to consider where our data goes when we upload it to the Internet. A recent example is the viral sensation FaceApp, which after uploading a photo of your face simulates what you will look like when you get older. Many people did installed it and celebrities even appeared on TV using the app.

But when you stop and read the fine print, you realise that you are granting your personal data, in this case a photo of yourself, to the Russian company Wireless Lab. The terms and conditions specify that they are not governed by the GDPR and accordingly we have no idea what they are doing with our data or who is receiving it. Nor does it indicate how to delete the data, as is the case with other apps like Facebook.

This data is very useful for training of facial recognition algorithms based on massive databases of anonymous faces, a necessary step for Artificial Intelligence (AI) to be able to read faces.

Accordingly, the only sure-fire way to know that the law protects your data is to read the terms and conditions you agree to when entering your personal data.

Cyber security, the new No. 1 priority for businesses

Cyber security has become a key area in all business sectors, particularly for companies that store data. Security mismanagement can lead to very serious economic losses, as well as affecting a company’s reputation.

To enhance security, a model is used known as defence-in-depth involving multiple layers of security controls, with each level focusing on possible attacks and creating different means of protection.

Defence-in-depth layers and some possible attacks examples:

defence-in-depth security layers
  • Data: exposure of cipher keys that can make data vulnerable.
  • Apps: insertion of malware such as SQL injection attacks and cross-site scripting (XSS).
  • Virtual machines/processes: execution of malware to compromise the system.
  • Networks: leaving ports open unnecessarily. Once an open port has been detected, access is attempted using brute force attacks.
  • Perimeter: denial of service (DoS) attacks consisting of overloading network resources and forcing disconnection.
  • Physical security: unauthorised access to facilities.
  • Policies and access: this is the layer where the application is authenticated. The risk here consists of potential exposure of credentials.

Ernesto Rubio

Santander Global Tech


Other posts