The concept that data may be subject to the laws of more than one country - and the fact that those laws are ever-changing - presents mounting responsibilities and challenges for organizations.
Rapid advancements in digital and mobile technology, increasing global connectivity, and the proliferation of cloud services have made the global economy a seamless ecosystem.
Within this ecosystem is the ability of organizations to collect, manipulate and monetize unprecedented amounts of personal and confidential data, which is heightening concerns about citizens’ privacy and cyber security.
In this frenetic landscape, in which huge amounts of data are harvested, stored and analyzed 24 hours a day, governments have moved with uncommon swiftness to provide statutory instruments that seek to regulate the flow of information.
This has included the assertion of ‘data sovereignty,’ in which governments enforce their own privacy laws on data stored within their jurisdictions. It is a rebuff of sorts to the global economy, a reimposition of sovereign interest.
For businesses, this has created a raft of compliance obligations and strategic imperatives, as well as the need for informed decisions about where their data is stored, how that data is managed and protected when shared across borders, and how IT systems are set up.
Data sovereignty vs residency and localization: Key points
- Data sovereignty is frequently used interchangeably - and incorrectly - with ‘data residency’ and ‘data localization.’
- Data residency is when an organization specifies that its data will be stored in a geographical location of their choice.
- Data localization comes with legal obligations. It requires that data created within a country’s borders remain in situ.
What does data sovereignty mean for businesses?
The rapid take-up of cloud-based data storage exposes companies to issues of data sovereignty. With the rising popularity of cloud computing, data sovereignty issues have become a greater focus for companies concerned about threats to the integrity and security of their data.
Data sovereignty becomes an issue when a company’s data servers are located outside the country in which the business is domiciled, and governments insist that this data is subject to the laws of the country in which it is collected or processed.
Mitigating data sovereignty risks
Businesses need to have a robust and comprehensive data security strategy and vigorous internal procedures to protect and secure data. The onus is on businesses to understand how their data is stored, who owns it and how it moves.
Businesses also need to:
- Ensure that their cloud service provider will not replicate data onto servers in other countries
- Ensure that the data stored overseas is done so according to local laws.
- ‘De-identify’ data before storing it in the cloud. (De-identification is removing people’s identity from the data.)
- Ensure that their cloud service provider has insurance to cover data breaches.
- Back up their data before moving it offshore, as a loss of data can be catastrophic for the business.
Data gravity, data sovereignty and the cloud
‘Data gravity’ is a metaphor introduced into the IT lexicon by San Francisco software engineer Dave McCrory in 2010. The idea is that data and applications are attracted to each other, similar to the attraction between objects that is explained by the law of gravity. As data sets grow larger and larger they become more difficult to move. So, the data stays put and applications and processing power moves to where the data resides.
Analytics in the cloud: even higher barriers
Barriers become even more challenging if you want to run analytics in the cloud on data stored in the enterprise, or vice-versa. These new realities for a world of ever-growing data sets suggests the need to design enterprise IT architectures in a manner that reflects the reality of data gravity. Alternatively, companies could consolidate their data in a cloud platform where the analytics capabilities reside (and which includes data sovereignty guarantees).
The legal framework
General Data Protection Regulation (GDPR)
The European Union’s GDPR covers data protection for EU citizens. The GDPR also addresses the transfer of personal data outside the EU and European Economic Area (EEA). It supersedes the Data Protection Directive.
With the advent of the GDPR, organizations have reviewed their data sovereignty requirements and capabilities.
Brexit: in or out?
All countries in the EU benefit from what might be called the ‘free movement of data’. This currently applies to the UK in the same way that it does to the other 27 members.
However, when the UK leaves the EU, it may or may not still be included in this ‘free market’ in data. Current EU data protection legislation states that “special precautions need to be taken when personal data is transferred to countries outside the European Economic Area that do not provide EU-standard data protection”.
If data sovereignty isn’t included in any finalized Brexit deal, or if the “no deal” scenario eventuates, then UK businesses could be directly affected. Post-Brexit, the UK would no longer be covered by data agreements between the EU and other countries, such as the EU-US Privacy Shield Framework.
If the EU does not grant “equivalency” to the UK post-Brexit, the safest thing to do when it comes to data sovereignty issues is to make sure that data is migrated to UK-based data centers.
In the digital economy, organizations are information-rich. They have never possessed such extensive reserves of personal data nor have they been closer to their customers as a result. Digital consumers have benefited from customized product and service offerings, enhanced customer experiences and the ability to intimately engage with their favorite brands across multiple platforms.
But with the ability of organizations to collect unprecedented amounts of data across multiple technology platforms comes great responsibility, and challenges - not least compliance obligations and strategic imperatives, as well as the need for informed decisions about where their data is stored, how that data is managed and protected, and how vendors are chosen.
How well organizations deal with the risks posed by data sovereignty is the latest challenge in the digital transformation of the economy.
Read more in Hurley Palmer Flatt's White Paper