As the world continues to become a globally connected ecosystem, data fluidity has sparked national and international conversations around notions of data and digital sovereignty. While these concepts are still emerging, many countries are developing laws and regulations to deal with the boundless nature of data, and the global and multinational organizations that are creating, housing, and distributing them. What do organizations need to do to in order to operate under these new sovereignty concepts? First, we must understand how data sovereignty came to be.
What is data sovereignty?
Before explaining data sovereignty, let us understand a broader concept—digital sovereignty—first. Digital sovereignty revolves around a value-driven, ordered, regulated and secure digital destination for all data, hardware and software, infrastructure components and application operations. Digital sovereignty is presumed to resolve multifaceted problems with respect to individual rights and freedom, political and legal enforceability at a local, regional and national level within a fair competitive market.
Digital sovereignty encompasses three main streams:
Operational sovereignty refers to transparency and control of provider’s operational processes and eliminates bad actors or processes which will malign access and quality of valuable information.
Software and hardware sovereignty refers to organizations freedom to store and run workloads wherever desired to maximize performance, flexibility and overall resilience (with the nominated cloud or on-premise hardware, network components, virtual hardware, data centre components and more).
Data sovereignty is the control of sensitive data in adherence to local geographical jurisdiction and prevention of unauthorized access and loss of data.
Data sovereignty addresses legal, privacy, security and governance concerns associated with the storage, processing and transfer of data. Many would use data residency and data sovereignty interchangeably, however, there is a difference between the two: data residency deals with the physical location where data resides and involves considerations such as local laws, regulations and infrastructure, while data sovereignty addresses the ownership, control and legal aspects of data. The focus is on the ability to exercise control, make decisions and enforce legal and regulatory obligations related to the data, regardless of its physical location.
Data sovereignty places constraints upon the data in different countries. Certain countries have limitations on data transmission outside the original country. For example, when dealing with data sovereignty in the US, we need to be aware of the pertinent laws both at the federal level (of which there are many) and individual state level. Companies that are conducting business in the stated legal boundaries could be prohibited, by law, from transferring their data or sending data to a third-party cloud provider for storage or processing.
In addition, certain countries have privacy laws that restrict the disclosure of personal data to third parties. While the US doesn’t have a single data privacy law at the federal level, the California Consumer Privacy Act of 2018 is one of the most ambitious data privacy legislation ever enacted in the US, much like European Union’s GDPR.
Data sovereignty in the EU is an evolving field. There have been calls in Europe to create a stronger European-based cloud infrastructure that can help better ensure data sovereignty within the EU’s member states. The Digital India Bill 2023 aims to replace India’s existing Information Technology Act of 2000 and provide comprehensive oversight of the digital landscape. It seeks to address modern challenges like cybercrime, data protection, deepfakes and online safety.
Data stored in cloud computing services may be under the jurisdiction of more than one country’s laws. However, the laws may make an organization’s compliance even more difficult when there are multiple domestic data privacy statutes to juggle across the countries. Different legal requirements regarding data security, privacy and breach notification could occur, depending on where the data is being hosted or who is controlling it. Legal restrictions can especially impact organizations that use hybrid-cloud strategies—they employ public cloud providers, as well as running local data centers, and each cloud deployment must adhere to separate, local legal requirements.
Key considerations to ensure data sovereignty are:
Leverage cloud provider capabilities by fine-tuning the physical location of each dataset to meet the geo-location of the data. It is important to consider data access policy definition and encryption which will enable users with permissions and rights as per the separation of duties.
Establish contractual agreements with cloud service providers so that they address compliance as per the law of the land, with respects to to data storage location and other regulations for the cloud infrastructure.
Implement data sovereignty requirements as per the complexity and stringency of the region’s jurisdictions. The application of security measures and standardization of control and audit might benefit the organization even if the location regulations are not too strong.
Establish data governance frameworks, policies, procedures and tools by organizations to bring in required control and audit.
Ensure services are available with key process indicators and metrics across regions, multi-zone and multi-region to ensure business continuity.
Governments around the world are becoming concerned with their dependence on foreign cloud infrastructure providers. That has led to a number of initiatives that attempt to control digital sovereignty within geographical boundaries. As per UNCTAD statistics, approximately 71% of countries have put in place legislations to secure the protection of data and privacy; 9% of countries are progressing and have some draft legislation; 15% of countries are still without any basic legislation for the security of their digital data; and 5% of countries are still groping in to bring in data governance.
With respect to the cloud’s shared responsibility model, there is a basic delineation between cloud users and cloud providers about which parties are responsible for different elements of deployment. Cloud providers are responsible for maintaining pay-per-use services and infrastructure, whereas users are responsible for data and ensuring that it stays safe, protected and complies with the law. That is where accountability to data sovereignty comes in. As far as the shared responsibility model is concerned, if data does not comply with local data sovereignty laws, it’s an organization’s problem, not the cloud provider’s responsibility.
It is evident that organizations will need to pick up data sovereignty as a key governance initiative while deploying applications within the cloud platform.
Organizations will need to relate their business imperatives and map them with the varied regulations, which will help to bring in the right perspective to ensure data sovereignty.
For example, DORA is one of the world’s most far-reaching cybersecurity regulations for financial services organizations and enterprises offering information and communications technology (ICT) services. And GAIA-X is a public-private consortium that helps to foster innovation through “digital sovereignty,” establishing an ecosystem whereby data is shared and made available in a trustworthy environment, giving the control back to the users by retaining sovereignty over their data.
While data sovereignty can provide benefits for governments and businesses, it also presents a number of challenges.
Transfer of data across borders can result in increased costs and complexity for businesses that operate globally and rely on the seamless flow of data across different jurisdictions.
Some countries may require that certain types of data be stored and processed within their jurisdiction, which can be challenging for businesses that operate in multiple regions.
Compliance of businesses with local data protection regulations can be complex and costly as regulations navigation can vary from country to country.
Data sovereignty can increase cybersecurity risks, particularly if data is stored in a single location or jurisdiction. This can make it easier for cyber-criminals to target and compromise data, which can have significant financial and reputational consequences for businesses.
Data sovereignty can create challenges for international data sharing agreements, particularly if countries have different requirements for data protection and storage. This can result in delays or restrictions on data sharing, which can impact business operations.
What enterprises need to do
With growing concerns about data sovereignty, organizations must understand the essential aspects of ensuring data privacy when implementing cloud solutions. Data sovereignty in the cloud refers to how cloud service providers (CSPs) manage, protect and limit access to data to comply with legal requirements. It involves understanding how CSPs store, process and transfer sensitive data, as well as how they address potential risks and vulnerabilities. Proactive steps should be taken to ensure that an organization’s cloud strategies align with national laws and regulations regarding data protection, lest they face severe consequences for non-compliance.
As a starting point, organizations should apply a strategic approach that encompasses legal, technological and operational aspects to achieve data sovereignty. Keeping building blocks of data sovereignty in mind, here are some of the key steps needed to get aligned with policies and compliance requirements within a geographical boundary:
Data governance and compliance: Establish clear policies and procedures for data handling, outlining responsibilities, access controls and regulatory compliance. Regular audits ensure ongoing adherence to these guidelines, so make it part of the governance framework.
Contractual agreement and SLAs: When engaging with third-party vendors or cloud service providers, contractual agreements should explicitly address data sovereignty concerns. Service Level Agreements (SLAs) should detail how data will be collected, stored, processed and protected, aligning with the data sovereignty needs.
Data classification and categorization: Data needs to be handled according to its importance as all data are not created equally. Data should be classified and categorized based on sensitivity and regulatory need of the organization.
Data transfer and transborder data flow: Data transfers between geographical boundaries with different data protection laws necessitate careful consideration. Having mechanisms to assess and manage these transfers is crucial. Ensure that the design pertaining to data transfer and transborder data flow adheres to data sovereignty requirements, and is in line with the policy or regulations within the geographic boundary.
Data residency and location control: Select the data centers and storage solutions in alignment with the legal requirements of the regions they operate in. This choice impacts regulatory compliance and mitigates potential risks.
Data backup and recovery: Data sovereignty also encompasses the ability to retain control during data backup and recovery processes. Implement solutions that ensure data remains within the requisite jurisdiction even during disaster recovery scenarios.
Access control and authentication: Implement stringent access controls, policies and multi-factor authentication to prevent unauthorized access and potential breaches.
Secure and scalable storage: Evaluate the cloud provider’s data center locations and security protocols at periodic intervals to ensure alignment with regulatory demands, thus meeting the data sovereignty requirements.
Encryption and key management: Strong encryption, along with proper key management practices, ensures that even if data is accessed by unauthorized entities, it remains indecipherable and unusable.
Data sovereignty procedures should be regularly monitored to identify areas for improvement. It is pertinent to stay up-to-date with evolving regulatory requirements, technological advancements and emerging threats. Data governance frameworks within the enterprise needs to tweaked accordingly and ensure that all stakeholders understand their updated roles and responsibilities. Continuous monitoring is one of the key enabler for successful implementation of strategy around data sovereignty.
As we continue to navigate the complex landscape of data privacy and security, it’s clear that data sovereignty is an increasingly critical consideration for businesses around the world. With the rise of cloud computing and global data flows, the traditional boundaries between nations and jurisdictions are no longer sufficient to protect sensitive digital resources like data within a given geographical boundary. By prioritizing data sovereignty, organizations can build trust with customers and stakeholders, enhance brand reputation and avoid costly legal and reputational consequences. Ultimately, data sovereignty is not just about compliance—it’s about doing the right thing for our customers, employees and communities.
In this era where data is the new currency, organizations must navigate the complex landscape of data sovereignty with diligence, adopting technologies, policies and practices that empower them to remain the custodians of their data destiny while adhering to geographical compliance or regulatory requirements. It’s a journey that organizations should embark upon with conviction, ensuring that they not only protect data but also preserve the principles that underpin our digital society.