Data sovereignty is the idea that data is subject to the laws and regulations within the nation it is collected. It has increasingly become a minefield for many businesses that have decided to embrace the cloud, the reason being the numerous data protection regulations that keep changing in different regions in the world.
Before the cloud, most business establishments had all their data stored in their data centers or at a colocation paying respect to data gravity and latency needs. Currently, with the evolving adoption of cloud, it’s not business as usual. Cloud infrastructures give the convenience of data access across borders and regions in the world. How then does this play out with respect to data sovereignty? With numerous data protection regulations such as the European Union General Data Protection Regulation (EU-GDRP), California Consumer Privacy Act (CCPA), South Africa’s Protection of Personal Information Act (POPIA) among many others, it is essential to exercise some due diligence as to the programs the cloud service providers have in place to support data residency requirements.
Maintaining Data Sovereignty
The big cloud service providers; for instance, Amazon Web Services (AWS), Google Cloud Platform, and Microsoft’s Azure Cloud Platform have programs in place to cater to data residency requirements. Apart from these big three, you may need to exercise more due diligence by trying to find out the question below:
- Where in the world is your data being stored? Does your country of origin or region require that you house data within its borders?
- How is the data being protected both physically and logically?
- What systems or processes does the cloud service provider have in place to ensure that your data doesn’t leave your country/locality/region?
- How is the data access monitored or altered?
- How is the encryption of data handled? Who has access to the encryption keys?
The answers to these questions will generally provide you with a basis to understand how well your cloud service provider supports data sovereignty requirements for your business. Also, creating a data protection strategy is key to be able to help your business take full responsibility for data protection needs and navigate across borders when there is a need. Essentially, your data protection strategy should support your evolving business’s data sovereignty needs. Below are some of the key steps that can help curate a data protection strategy:
- Identify and understand all the applicable data residency requirements for your business. Consider data residency requirements for any location where your business resides. Consult legal and/or compliance teams who understand laws within those locations.
- Identify, classify, and keep track of your data assets. Take inventory of all data assets and classify them into categories. The categories should be in line with the data protection requirements provided by the different protection laws.
- Come up with a data classification mechanism to tag your data. Find a means to tag your data and put controls/rules in place to ensure that the tagged data adhere to data protection requirements. Some cloud service providers provide rule engines to help tag and control data movement.
- Leverage service provider capabilities to restrict where your data can be located. Some cloud service providers including the big three cloud providers mentioned above offer you options of where exactly you can store your data.
- Monitor access to your data and log all activity.
- Encrypt, anonymize, or pseudonymize your data where applicable. Some providers have keys and other tools to perform base-level encryption. You must understand what requirements are provided by different laws with respect to encryption or data security techniques.
- Develop a means to measure and monitor your level of compliance with all applicable data protection laws. If your data changes locations, you may need to find ways to track it and ensure its stay in compliance.
In a cloud world, it is important to understand how your business can maintain data sovereignty so as to avoid any data protection pitfalls. In that case, due diligence and your data protection strategy will play a critical role in achieving data sovereignty.