Compliance and the Cloud: Data Sovereignty Explained for MSPs
In the same way that you are subject to the laws that exist where you live, different countries have specific laws that determine how data residing in that country can be treated and stored — as well as what needs to be done to protect it.
But data can move around — especially in the age of the cloud, in which services and infrastructure can exist anywhere in the world. This makes it especially important to determine whose regulations your clients fall under at any given point in time.
The concept of data sovereignty was conceived to govern adherence to local regulations around the collecting, storing, and processing of data. There are more than 100 countries with data sovereignty laws, adding constraints that are often difficult for service providers to navigate. Understanding data sovereignty, and how to overcome its challenges, is critical for the modern MSP.
What is Data Sovereignty?
While it’s important to understand what data sovereignty is, there actually isn’t one universally agreed-upon definition.
Some use the term to refer to any one person’s individual right to control their own data. Others see it as a term to address how companies use data, rather than the laws which require them to protect it. Still others use the term to describe the notion that states should have the right to maintain control over data created within their borders.
For the purposes of this primer, data sovereignty will be defined by how it is understood in the broadest legal context:
“Data sovereignty is the concept that information, which has been converted and stored in binary digital form, is subject to the laws of the country in which it is located.”
Data owners or managed service providers (MSPs) need to be aware of these laws in order to avoid violating restrictions on how that data can be used or processed. They may also, depending on the location, need to be able to account for the data in order to show compliance with such laws.
It should also be noted that in some cases, the reach of data sovereignty goes beyond the borders of the country where the data is located; for example, the data of a European Union resident stored in the United States.
Therefore, a more complete definition of data sovereignty would be “the extent to which data is subject to the laws of a country, no matter where it is stored.”
What Data Sovereignty Isn’t
For clarity, it should be noted that data sovereignty is not synonymous with data privacy. Data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), relate to how companies can responsibly protect the data of individuals. In this sense, your clients’ data sovereignty determines the applicability of such data privacy laws.
Other similar concepts that might be confused with data sovereignty include data residency, which relates to the locations where data is kept (not the laws that govern it), and data localization, in which states assert that data cannot leave their boundaries. While the latter might be the most extreme expression of data sovereignty, it isn’t in and of itself a description of the term.
However, data localization laws have doubled in the last ten years, clearly demonstrating how this major concern for organizations is only growing.
The Challenges of Data Sovereignty
There are many factors that can make compliance with data sovereignty requirements complicated for you and your clients to meet. It’s largely a problem that comes with success: the bigger your client is, the more likely it is they’ll have data falling under multiple data sovereignty restrictions.
Some of the challenges that come with being subject to the data sovereignty requirements of one or more countries include:
- Rapid changes — Since data sovereignty is a fairly new concept, the laws that countries enact to establish their data sovereignty are changing at a rapid pace. Occasionally, these changes can be positive, such as when new legislation allows legal data transfers between countries. However, this is not always the case.
- Growth — The more data your clients have, the more complicated it can become to understand which data sovereignty laws apply to it. Organizations that grow beyond their original country of origin, or that take on clients from around the world, will quickly find their data sovereignty requirements stacking up.
- Data mobility — New laws may mean new restrictions on how data can be moved between countries. This can limit the availability of certain cloud services and locations for your data. Data sovereignty may also extend to how data can be moved between repositories, requiring certain levels of encryption for data in transit as well as at rest. However, not every data transfer method enables an optimum level of cyber protection.
- Transparency — Being able to show how your team handles clients’ sensitive data is key to demonstrating compliance with data sovereignty laws, but that level of technological transparency can be difficult to provide. Some organizations don’t have the staff or tools required to describe how data collection and data use works.
- The cloud — While its benefits are innumerable for your clients, the cloud poses data sovereignty issues due to the dispersed nature of its infrastructure. If organizations aren’t careful, their cloud deployments could extend into different regions with different data sovereignty laws. On the other hand, complying with certain data sovereignty strictures may limit choices when it comes to the cloud services you make available.
- Violation risks — Governments enforce their data sovereignty laws with fines. Running afoul of a country’s data sovereignty can also cause lasting damage to the relationship between the organization and that country, which may lead to a loss of business. Certain violations of data sovereignty could potentially result in prosecution, depending on the alleged offence.
- Increased costs — You or your clients could face increased operational costs due to data sovereignty, from internal training on additional laws to the data layer changes required to accommodate new rules and regulations.
How to Approach Data Sovereignty
No matter where you store your clients’ data, it’s critical that you’re aware of the relevant data sovereignty laws — especially if that data spans more than one region with distinct regulations. These laws will affect every level of your services deployment, from where data is stored, to how it is shared in the development pipeline, to your client’s boardroom office.
In some ways, MSPs that are poised for a digital transformation have an advantage here, as they can design their cloud environment or services to better align with data sovereignty goals. For deployments that are already in the cloud, or straddling the cloud and data centers with hybrid deployments, more effort may be needed to make sure all of these components comply with regulations.
One key to maintaining some degree of flexibility regarding your approach to data sovereignty is to avoid getting locked into any single platform. Knowing where you want to keep data is the first step, but you’ll also need to understand how local laws will hold you responsible for data possessed within that country’s borders. These decisions will have a big impact on controlling your operational costs and in getting data to most of your clients’ end-users. However, the ease in accomplishing this will also depend on where their data is located.
Organizations, and especially government and private sector businesses, tend to operate with strict levels of secrecy. However, this can run contrary to the goals of data sovereignty. Some laws that govern data, such as the GDPR, require users to authenticate how data is used and where it is located. Transparency and “privacy by design and default” should be built into the services you use in order to meet such requirements.
Making sure your services are aligned with relevant data sovereignty laws will require constant attention and care. Data governance tools that can monitor and report on your data to help you understand your legal responsibilities and to convey that information to relevant authorities may help significantly with this need. Look towards cloud storage solutions that rely on secure and compliant data centers supporting a range of physical locations, and to vendors that have adopted a full-lifecycle approach to security.