–
What is data sovereignty?
Data sovereignty is the notion that data is under the jurisdiction in which it is collected or processed and must remain within its borders. In simpler terms, this means the legal rights of data subjects (any individual whose personal information is being gathered, retained, or processed) and data requirements will depend on the location in which the data is stored. Therefore, organisations will have different responsibilities depending on their geographical locations.
In short: Data sovereignty is the principle that a country has complete control over its data. For example, let’s suppose a Canadian organisation’s information resides in a data centre located in France. In this case, the data now falls under French laws and not Canadian laws despite the data belonging to the Canadian entity.
But how does this apply to cloud backups?
What is data sovereignty in the cloud?
Now that we’ve explained the concept of data sovereignty as a whole, let’s delve into data sovereignty in the cloud. Cloud data sovereignty is the notion that data stored in the cloud is subject to the laws, regulations or other jurisdiction that has authority over the relevant cloud infrastructure. In other words, cloud data sovereignty refers to the ways in which regulatory laws or other policies may impact data stored in the cloud, depending on the country or region where your cloud data is hosted.
Example: A company operating out of Australia chooses a cloud provider that hosts client data within the European Union. Because the Australian entity’s data is stored within the E.U., the company may now be subject to E.U. data regulations, such as the General Data Protection Regulation (GDPR).
To make matters more complicated, cloud vendors typically don’t inform customers of the regulatory stakes of selecting one cloud region versus another – of which most organisations are not aware of. While ‘the cloud’ may seem intangible, but it is very much grounded and geolocated within the borders of countries. Therefore, if you’re backing up your data to a cloud service (which is more than likely in today’s technological landscape) your data is being stored in a data centre – but the question is: where?
As cloud computing because the norm, it’s important for organisations to implement data protection strategies that takes data sovereignty into consideration. Not knowing where your data is being stored can land you in hot water – particularly if you’re in violation of local privacy regulations and legislation.
When considering where to store your data – whether on-premises, within a data centre, or with one or more cloud providers – you should consider where the data will be stored and what laws, compliance, or regulations will apply to it.
Data sovereignty vs localisation vs residency
The terms Data Sovereignty, Data Localisation and Data Residency are a source of confusion for businesses managing data, who may believe they are interchangeable. Here is an overview of each term to clear up misinterpretations:
Data Residency:
Data residency refers to the geographical location where businesses specify their data is stored. Usually this is for regulatory or policy reasons. As an example, a data residency policy may require proof from a business they aren’t conducting too much of their core activities outside of that country’s border – including data processing. In this example a business will then implement data residency that sets restrictive data management workflows on their operations and cloud providers.
Data Sovereignty:
Data sovereignty is a governmental policy or legislation noting data is subject to the data and privacy laws of a specific geographical location.
For example, Australia’s Privacy Principles dictates that personal data kept in Australia must meet the thirteen standards specified by the APP, including how data is used and collected and person’s right to access their data.
Data Localisation:
People often use data ‘sovereignty’ and ‘localisation’ interchangeably, but they are in fact separate terminologies. Data localisation is by far the most restrictive of the three. In some cases, data localisation legislation only requires that copies of relevant data remain within the country’s borders, guaranteeing the government can audit data on its citizens with due course.
Why does it matter?
There is an adage ‘ignorance is no excuse for the law’. It’s important you know where your data is stored, because if it is stored in a country that is not your own you are still subject to that country’s laws. Consequences such as having your data being seized or accessed by the government of that country are completely plausible.
Consider this: An Australian entity uses a cloud provider based in the U.K., with customers in the EU and the U.S. It is plausible that data collection via a website may occur in Italy, California, and even Australia. Therefore, collected data will be subject to the data sovereignty rights of Italy, the United States, and Australia – but since the data is stored in the U.K., it is ALSO subject to the data sovereignty laws in the U.K. It gets confusing, right?
Given the complicated and often confusing landscape data sovereignty in the cloud exposes, it is important for organisations to stay aware and compliant.
Key considerations & best practices
Before you contemplate on compliance, regulations and rules, first you should consider how and where to store your data – such as on-premises or in the cloud. If you have chosen the cloud, data sovereignty becomes more complex. Generally, when utilising the cloud you will need to choose options for replications and backups of your data, which are often stored in other geographical locations. Your chosen cloud provider may or may not allow you to select the region where your backups or replicas will be stored. When choosing your provider, ensure you have the ability to specify the region in which your data will be stored and understand the regulatory requirements of each region.
