ktsdesign - stock.adobe.com
Data sovereignty pertains to country-specific regulations that any data collected or processed must be subject to the laws of that country. This concept is different from data residency, which is a business prerogative on where data is stored, although data residency typically mirrors any data sovereignty laws that exist in a country.
The rise of a new function headlined by chief data officers (CDOs) is becoming the norm. The growing responsibilities of this function include the following:
- preventing data breaches by minimizing access to only those authorized to access the data;
- implementing policies to protect stored data; and
- ensuring any data being transmitted follows encryption, storage and lifecycle policies, including destruction.
The advent of cloud has made data sovereignty implications and implementation much more complicated. For instance, consider what it means for a U.S. enterprise using cloud infrastructure from a provider in the U.K. that also has customers in the EU. Data collection may happen in Italy and, therefore, be subject to the data sovereignty rights of Italy, but since the data is stored in the U.K., it would be subject to the data sovereignty rights of the U.K. as well. To further complicate matters, if data backup happens in Ireland, it is subject to the data sovereignty rights in that country, too.
Confused yet? Given the complicated landscape that data sovereignty in the cloud exposes, it is prudent for enterprises to stay aware and compliant. Here are three ways to achieve this.
1. Look to the cloud
The cloud itself may have the answer. While the major cloud providers, including AWS, Microsoft and others, attribute adoption rates based on customers' focus on cost, availability and flexibility, data sovereignty is a key attribute as well. Most IaaS providers have in-country data centers, which enable that first requirement to be met. In addition, key features, such as encryption and other available security-as-a-service options, enable customers to comply with local regulations.
One major caveat: It is imperative that the appropriate stakeholder within the enterprise understands each specific country's data regulations and assesses and implements the appropriate management tools offered by each provider to comply with these regulations.
With the rise of the CDO, there is now a responsible person in the enterprise who needs to ensure the cloud provider has answers to the following in the agreement:
- privacy compliance regulations being adhered to;
- data location optionality and recommendations based on compliance, cost and performance; and
- data encryption, key management, backups and restoration processes.
2. Make uniformity key
Enterprises should implement the strongest of regulations uniformly. If an organization has a global footprint, keeping up with each region's data sovereignty laws it does business in and with is an ongoing challenge.
One way to reduce complexity is to take the strongest of these laws and implement it consistently across all regions, regardless of what other regions require. The cloud can help with this. Assess which cloud providers offer these options -- typically, the larger providers and the ones that focus on particular industry verticals do it best.
What used to be the CISO's responsibility is increasingly falling under the purview of the CDO. This includes data manipulation, theft, encryption (ransomware) and loss. With rising cases of data intrusions due to breaches by third parties -- contractors, partners and software libraries -- relying on even the strictest of regulations does not guarantee data security, as there is always a lag. Continuous policy updates, as well as following these regulatory mandates, are critical.
3. Implement data governance in the cloud
While the cloud provider may provide data sovereignty capabilities, implementing and updating policies on top of the strictest of regulations help reduce risk. Having a complete data governance process in place ensures that adherence and continuous risk assessment and mitigation are maintained at all times. These five steps help achieve that end:
- Discoverability. Define and manage data in the cloud.
- Quality management. Ensure adherence to data sharing and domain adherence.
- Compliance. Help reduce risk by updating policies on top of strict regulations.
- Access. Monitor, automate and manage access to administrators; provide efficient response to customer requests, partners and compliance.
- Lifecycle management. Manage data creation, sharing, retention and destruction.
Data sovereignty laws and regulations are constantly evolving and growing in number and requirements. The data tsunami continues unabated, and cloud adoption is increasing rapidly. Put together, this trifecta offers some hefty challenges. However, with some initial investment and ongoing process implementations, enterprises can get ahead and stay ahead.
The role of the CDO will also continue to evolve and intersect with the responsibilities of the CIO, CISO, chief privacy officer, legal and other functions in the future. Adaptability by staying ahead of the data sovereignty laws and creating strong data governance frameworks for the cloud will reduce risk for the business.