Working From Home, Virtual Desktops, GDPR & US Cloud Data Centres

Submitted by graham on Tue, 04/14/2020 - 14:00

As a fractional CTO, during the Covid19 pandemic several clients needed to rapidly scale up their ability to facilitate working from home.

A frequently occurring challenge was making key systems such as accountancy packages available remotely where they had previously only been accessible via office based workstations. Some of these companies were in the process of digitising and so the infrastructure to support working from was not already established.

When facilitating working from home at short notice there is not time to implement significant infrastructure. What is more, during the Covid19 pandemic backdrop of economic shut down, wide scale job losses and significant uncertainty there is little appetite for investment in new infrastructure. Finally, when entire organisations are shifting to a working from home model the capacity to train staff on new tools and processes is severely limited.

With those constraints in mind, what tools might we use to support the new home based workforce?

One option is Windows Virtual Desktop. This is Microsoft's VDI (Virtual Desktop Interface) technology running on their Azure cloud infrastructure.

Some of the benefits in this context are:

  • Rapid: self service provisioning means we can support team members quickly.
  • Security: team members can authenticate with their existing Office 365 login credentials via the web authentication layer, keeping security controls all in one place
  • Minimal infrastructure: keeping the underlying server off the public network and authenticating only with Office 365 credentials reduces the need for firewalls and VPNs. This eases setup and management but also helps to limit costs.
  • Simple: the new work from home team don't need to learn new tools such a Remote Desktop, VPN clients etc.

However, while exploring this solution a significant bump appeared in the road. The Azure data centres located in the EU appeared to run into a capacity issue. It seems likely this is linked to greater demand due to the Covid19 pandemic. The result was that the only available data centres to provision a virtual machine to power the Virtual Desktop were in the US.

Does this present a GDPR related showstopper for UK based companies, or more generally any EU based countries, until Azure has capacity in EU data centres?

If there is no personal data involved, no, there is no GDPR problem to be concerned about.

However, if you do need to store personal data of EU citizens on the virtual machine powering your Virtual Desktop then it is necessary to consider GDPR requirements.

Fortunately, this does not need to be a problem that blocks us from using the Azure Windows Desktop to facilitate home working during the Covid19 outbreak. Relevant extracts from the GDPR  legal text are as follows:

Chapter V, Article 45

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

The EU publish the list of third countries with which there is a GDPR adequacy agreement, which at the time of writing includes the USA.

It is worth noting the caveat in that list that adequacy is not across the board in the USA due to complications resulting from shared responsibility for data protection between states and federal law. There is also jurisdictional overlap between the security services and the Commerce Department making enforcement decisions more difficult to apply. 

The EU-US Privacy Shield is an opt in arrangement to overcome these adequacy challenges. Companies must self certify to the Department of Commerce and publicly commit to comply with the Privacy Shield's requirements.

Fortunately we can see that Microsoft, the corporation behind Azure, is listed as operating in compliance with the Privacy Shield.

Chapter V, Article 49

The adequacy as described in relation to Article 45 appears sufficient at the time of writing to allow transfers of personal data of EU citizens to Azure cloud servers located in Microsoft's US data centres. However, article 49 provides further exemptions that could allow the transfer of data to third countries. Specifically the following points:

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

Or in other words, if you can only fulfill your contractual obligations to those whose data you hold by transferring their personal data to a server in a third country, then in this specific case you are able to do so but you should take steps to ensure you are protecting data in accordance with GDPR, wherever it is being processed.

In summary, Windows Virtual Desktop is a great tool for rapidly and cost effectively shifting to a work from home operating model.