Data Sovereignty in the Cloud: Key Considerations

What is Data Sovereignty?

Data sovereignty refers to the laws applicable to data because of the country in which it is physically located. The legal rights of data subjects (any individual whose personal information is being gathered, retained, or processed), and data protection requirements, depend on the location in which their data is stored. Accordingly, organizations will have different responsibilities for data in different geographical locations.

Data sovereignty is distinct from data localization and data residency:

  • Data localization refers to a governmental policy that prohibits organizations from transferring data outside a specific location. It is a special case of data sovereignty.
  • Data residency is a decision by businesses to store data in a specific geographical location. Organizations might store data in a specific location to avoid legal requirements, take advantage of tax regimes, or for performance reasons. Once an organization chooses a location for its data, it is subject to data sovereignty—the laws applicable in that region.

 

In this article:

What is Data Sovereignty in the Cloud?

Certain countries have limitations on data transmission outside the original country. In addition, certain countries have privacy laws that restrict the disclosure of personal data to third parties. Thus, companies conducting business in these countries could be prohibited, by law, from transferring their data or sending data to a third-party cloud provider for storage or processing.

Data stored in cloud computing services may be under the jurisdiction of more than one country’s laws. Different legal requirements regarding data security, privacy, and breach notification could occur, depending on where the data is being hosted or who is controlling it.

Legal restrictions can especially impact organizations that use hybrid-cloud strategies—they employ public cloud providers, as well as running local data centers, and each cloud deployment must adhere to separate, local legal requirements.

As you consider where to store data—on-premises or in one or more public cloud providers—you need to consider where the data will be stored, what laws will apply to them, and whether storing data in a certain location will be beneficial or harmful to your business.

Companies using cloud infrastructure must address data sovereignty analysis holistically. Data sovereignty is not an issue that can be addressed only by the Chief Information Officer. IT security, legal department, procurement, risk managers, and auditors must all be involved in risk management and governance processes.

Related content: Read our guide to Data Protection Regulations

Data Sovereignty vs. Data Localization vs. Data Residency

Here is an overview of the differences between data sovereignty, data residency, and data localization:

Data Sovereignty
Data sovereignty is a governmental policy or law noting data is subject to the data and privacy laws of a specific geographical location—for example, Australia’s Privacy Principles (APP). Personal data kept in Australia must meet the 13 standards specified by the APP, including how data is used and collected and a person’s rights to access their data.

Data Localization
People often use the terms data sovereignty and data localization interchangeably. However, data localization is a governmental policy or law that specifies where governments can locate data. An example is the EU’s EDPR. It states that European countries should host all personal information collected on European citizens within the EU within the EER, EU, or several other specified countries.

Related content: Read our guide to GDPR Data Protection

Data Residency
Data residency is a decision by a business to store their data in a specific geographical location. Businesses may choose a location for the data based on regulatory, performance, or tax considerations.

For example, a company can move data to a certain country to benefit from favorable privacy regulations in that country, or attempt to carry out a specific amount of business in a country to meet its tax benefit requirements. To accomplish this, the organization could make a data residency policy noting that all data should be processed and stored within that country’s borders.

Key Considerations and Challenges Surrounding Data Sovereignty

When you expand your data to additional regions, whether for production data, data backups or disaster recovery, you must be mindful of data sovereignty.

Data at Rest
Before you give thought to your compliance, regulations, and rules, one of the initial things to consider is how and where you store your data. The first choice is whether to store data on premises or in the cloud. In the cloud, data sovereignty becomes more complex.

If you utilize the cloud, you’ll need to select options for replication and backup, which in many cases will involve storing data in another geographical location. The cloud provider may or may not allow you to select the region where backups or replicas will be stored. Ensure you are able to specify the region in which data will be stored, and understand the regulatory requirements of each region.

Data in Transit
Organizations often overlook data in transit. It helps if you consider:

  • How often you transfer data between geographical regions
  • From where and to where data is transferred
  • What type of data is typically transferred

You should understand this journey because it relates to how data is being collected and processed. It is especially important to understand data sovereignty in the source and destination region, and if there are legal issues, adjust your data flows to ensure data ends up in the most appropriate legal jurisdiction.

3 Steps to Ensure Data Sovereignty in Cloud Computing

Here are key steps that can help you ensure data sovereignty in your cloud infrastructure:

  1. Leverage cloud provider capabilities
    Most cloud providers have data centers in geographical locations around the world. By fine-tuning the physical location of each dataset, you may be able to meet the requirement for data geolocation. Your cloud provider might also have other features that can help meet sovereignty requirements, such as data encryption.
  2. Implement data sovereignty requirements uniformly
    Each country has its own data sovereignty requirements. If you operate globally, adapting to each region’s regulations can be complex. You can simplify things by selecting one location with the strongest data sovereignty requirements and applying those across all regions. Applying more stringent data protection than actually required might appear wasteful—but it will provide additional security and data protection that can benefit the organization in the long term.
  3. Keep track of backups
    Data sovereignty not only applies to production workloads but to backups as well. Understand how your organization currently backs up information—whether on-premises, using dedicated cloud services like Dropbox or Google Drive, or using public cloud services like Amazon S3. Evaluate these backup options and ensure they are in line with each territory’s data sovereignty requirements.

Related content: Read our guide to Data Protection in the Cloud

Data Protection with Cloudian Secure Storage

Data protection requires powerful storage technology. Cloudian’s storage appliances are easy to deploy and use, let you store Petabyte-scale data and access it instantly. Cloudian supports high-speed backup and restore with parallel data transfer (18TB per hour writes with 16 nodes).

cloudian object storage appliance

Cloudian provides durability and availability for your data. HyperStore can backup and archive your data, providing you with highly available versions to restore in times of need.

In HyperStore, storage occurs behind the firewall, you can configure geo boundaries for data access, and define policies for data sync between user devices. HyperStore gives you the power of cloud-based file sharing in an on-premise device, and the control to protect your data in any cloud environment.

Learn more about data protection with Cloudian.