The Ins and Outs of Data Sovereignty

The adoption of public cloud platforms is accelerating in all sectors and markets, driven by the promises of increased agility, improved operational efficiency, higher resiliency, and lower costs. However, as organisations transfer more workloads and data to the cloud, many have recognised the need to assure they remain compliant with the plethora of data sovereignty regulations that exist across the globe.

So, what is data sovereignty and why do both public and private sector organisations need to care about it? In simple terms, data sovereignty is the concept that data is subject to the regulations of the country in which it was originally collected. Hence, if you collect data from individuals or organisations in multiple countries, you need to ensure that you process, manage, store, and dispose of that data in accordance with the laws of each country from which it was collected.

For example, the European Union’s General Data Protection Regulation (GDPR) stipulates that data collected within the EU can only be transferred to a third country for which the European Commission has determined that there is “an adequate level of protection”, or otherwise where “appropriate safeguards” have been put in place. This applies to both “data controllers” (those responsible for determining why and how data should be processed) and the “data processors” (those who process the data). Whereas in China, the new Personal Information Protection Law largely prohibits the cross-border flow of personal data entirely. These are just two examples of over 100 different regulations governing data sovereignty globally.

Such a variety of legislation can be hard to manage when an organisation is processing data solely within its own data centres. However, the complexity increases further with the broad adoption of public cloud platforms. Often, it can be hard to know exactly where data is being processed. And even if you can stipulate the country where your data is stored and processed, there may be a risk that the cloud service provider (CSP) could be subject to regulations that would require them to provide third parties access to certain types of data.

And the impact of failing to adhere to data sovereignty regulations can be severe. Under GDPR, for example, the maximum fine for non-compliance is $20m or 4% of global annual turnover, whichever is larger. There have been several examples of fines over $100m imposed by regulators globally.

So, how should organisations address the challenges of data sovereignty? At the highest level, there are three basic steps:

1.     Map the data sovereignty regulations that apply to your organisation. Catalogue all the countries from which you collect data and conduct a thorough review of the regulations in each country that impact data sovereignty. Categorise the different provisions of the various regulations and create a map of the types of provision and the jurisdictions to which they apply.

2.     Conduct a data classification exercise. Review all your data repositories to understand the nature of the data stored in each one. Many will be application-specific databases, where the nature of the data will be relatively easy to classify (for example, customer records stored in your customer relationship management (CRM) application). Some repositories will contain unstructured data records, which will be harder to classify (for example, file-shares or SharePoint accounts). For these data stores, you will need to use file-level content-based classification to understand the nature of the data.

3.     Establish controls to assure compliance with the requisite regulations. Define policies and implement technical controls to assure that your data is processed in accordance with the regulations that apply to your organisation. These may include policies to restrict the types of data that can be moved to cloud platforms in various countries, as well as technical controls that ensure that data stored in the cloud is retained within appropriate jurisdictions or protected from access by other entities (for example, by using encryption).

So, how can Veritas help address data sovereignty concerns? Partnering with the Cloud Service Providers, including AWS and Microsoft, we have created the Veritas Alta™ cloud data management platform. This provides a comprehensive set of capabilities that complement the CSPs’ own tools to enable and support your efforts to stay compliant with the relevant regulations.

Firstly, we automate the process of scanning all your unstructured data stores, both on-premises and in the cloud, and classify the files they contain. This helps risk and compliance teams to identify data that may be subject to data sovereignty regulations, so that it can be handled appropriately – assuring that it remains within the relevant jurisdiction. In a recent example, a global property design and construction company used our file scanning and classification tool to review their unstructured data stores on premises before moving their data to Microsoft 365. This enabled them to determine which data could be safely moved to the cloud, which should be retained on-premises, and which could be safely deleted.

Next, we give you a choice of where to store the data held on our platform, so that you can be sure it stays within the correct country boundaries. For example, you can select the Azure or AWS region that you want to use, or you can choose to store your data within your data centres. We also give you the option to store multiple copies of your data in different regions, different clouds, or even to store one copy in the cloud and another in your data centre to meet your organisation’s specific compliance and resiliency requirements. So, if you lose access to your cloud services, you can still access a copy of the data stored on-premises. For example, a global financial services firm uses our cloud-based archiving platform to journal electronic communications from a variety of sources in multiple jurisdictions. However, in China, they use our archiving platform deployed in their own data centres, to assure they stay compliant with the stringent local data sovereignty regulations.

Finally, for data that is stored on our platform in the cloud, we encrypt the data in flight and at rest and give you the option to “bring your own key”. This ensures that, even if a cloud provider were compelled to hand over the data to the authorities in another jurisdiction, those authorities would not be able to access it. For example, a global automotive manufacturer uses our cloud storage platform to store a ransomware-resilient copy of their backup data for long-term retention. They integrate the cloud storage platform with their own key management system, to assure that data stored on our platform is encrypted and can only be accessed by them.

In summary, data sovereignty should be a consideration for any organisation that is storing or processing data in the cloud. And it can be complex – especially if you collect data in multiple countries. With careful research, clear policies, and the right technical controls, you can build a compliance model consistent with the data sovereignty regulations in all the jurisdictions in which you operate. The Veritas Alta™ cloud data management platform provides many of the technical controls to make this easy. To take the first step, why not consider a complimentary Dark Data Assessment from Veritas? We will scan and classify a subset of your unstructured data sources, to provide you with insight into the types of data you are storing and the potential implications for data sovereignty. Contact your Veritas account manager for more details.