Data sovereignty has taken center stage as more and more global companies move to the cloud and look to move data freely across regions. So, what is data sovereignty? Simply put, it’s the concept that an organization’s data is subject to the rules and regulations of the country in which it’s located. These rules and regulations can significantly impact how a business accesses and moves data across its organization. So, let’s discuss why you should factor in data sovereignty when building your cloud strategy.
Businesses need to be aware of all data laws and regulations related to the types of data that they process in the locations where they are operating in order to remain compliant. In some countries, certain data can’t leave its country of origin. And non-compliance can have serious financial, reputational and even criminal ramifications for your organization.
In the days when on-site data centers were the norm, and any cloud offerings might have been offered by small, local companies, your data went was easy to track. But now, in the days of industry consolidation and globe-spanning cloud service providers, the paths your data take are more convoluted.
For example, a company based wholly in Germany may want to utilize a set of tools that are available on Microsoft Azure or Amazon Web Services (AWS), both of which are American companies. Where is that data being routed? While it’s being processed, is it subject to U.S. law, EU law, or German law?
Factoring in data sovereignty issues at the start of strategy creation helps you unlock the full potential of the cloud. Data is gold, and as more countries realize the economic potential and associated security risk, they’ll have an increasing interest in keeping it in-country for processing and storage. While this might be good for that country, the creation of regional data silos doesn’t get the most out of the cloud, and it makes optimizing processes and business intelligence more difficult, if not impossible.
How to get out ahead of data sovereignty issues
Businesses have legal obligations to know where their data and customer data is stored and then take the necessary steps to comply with any applicable data localization laws. Plus, they need to ensure that their cloud infrastructure offers tight security and has protocols to follow should they experience a data breach or if they need to destroy any data.
So how do you navigate the tricky waters of data sovereignty without slowing innovation? Well, it might help to come up with a data protection strategy at the start of your journey. Start with the following considerations:
- Know the law: Consult with your legal and compliance departments and clarify all requirements.
- Find out what you’re working with: Identify all cloud data assets, paying special attention to assets that may contain data that fall under the purview of data sovereignty.
- Identify regional variances: Different countries might have different encryption requirements for different types of data. Become familiar with these requirements from the outset.
- Plan for periodic reviews: Remaining compliant requires constant vigilance. Companies change, and processes evolve. Make sure you have a monitoring plan in place.
- Consider data security by design: Assume that your business will be impacted by upcoming legislation. Implement data security practices that will allow you to comply with any new laws. While you may have to adapt to a new piece of legislation in the future, you stand a better chance of already being close to compliance if you put the right baseline principles in place.
- Architect for mobility: When possible, architect your cloud solutions to allow for the mobility of your data should one region establish legislation that is business impacting.
An experienced partner can make all the difference
If this seems like a lot to consider, well, it can be. Especially today, when most IT departments are stretched thin, and retaining talent is almost as hard as finding it. Keeping up on data sovereignty adds more work on an already overloaded plate. But as we’ve seen, it can’t be ignored.
Remember that you don’t have to go it alone. Experienced partners can offer customized solutions to help you navigate the waters of data sovereignty are out there. With them, your IT teams are free to innovate around your core competencies and keep moving the needle forward, no matter where in the world you operate.
Should You Be Building or Buying AI/ML Solutions?
About the Authors
Chief Privacy Officer / VP & Deputy General Counsel
Brenna Nava has 15 years of experience as a practicing attorney and has worked at Rackspace Technology for approximately 10 years. She plays a key role in directing critical litigation, employment, compliance and privacy matters. During her tenure at Rackspace Technology, Brenna has represented the company in a number of high-profile cases. She has also advocated for sensible changes to laws and regulations to address the challenges that new technologies create. Brenna is the proud mother of three and loving wife to her favorite attorney, Alex. When not at Rackspace Technology, you are likely to find Brenna running, biking, kickboxing or reliving her glory days with her Dance Jam family.Read more about Brenna Nava