With the rise of colocated data centres, infrastructure as a service, software as a service and highly mobile workforces, one of the most important questions for businesses today is, "Where is my data?"
Different types of data are subject to different regulations that vary across jurisdictions, making data sovereignty a technical and regulatory challenge.
In some cases, answering the question of where your data is can be straightforward. If you have your own data centre, where everything is stored in one place with sufficient physical security and logical controls, you can be reasonably assured you know where your data is in the event of a hacking incident or theft. This has been the traditional approach.
However, when companies start to embrace off-site solutions such as cloud services, where they lose control of the infrastructure, the old model can break down.
There are cloud service providers that give undertakings, through service agreements, to ensure your data is retained within a country. But this requires enterprises to trust service providers to maintain their end of the agreement. This can be monitored by asking the service provider to share logs and other data that gives you assurance that the agreement is being honoured.
For companies that operate in multiple jurisdictions, matters become far more complicated. Each country has its own regulations about what data can move across sovereign borders. Although the Internet doesn’t recognise borders, countries do, and each one sets its own rules about what is acceptable practice.
The answer is a rules-based engine that can look at the data and put it in the right place. Service providers usually provide a written guarantee for data that is going to stay within a certain country. This ensures data doesn’t land on systems in the wrong jurisdiction and needs to be followed up with a bulletproof reporting and auditing structure that lets you identify errors and determine the cause so you can quickly remediate the problem.
The rules can change
The data sovereignty landscape is changing. New regulations, such as the European Union's General Data Protection Regulation (GDPR), mean companies need to stay abreast of changes in their data sovereignty obligations. The focus of the GDPR is on the movement of personal data outside the EU.
Compliance with GDPR comes into effect 25 May 2018 and will give citizens the right to ask organisations to erase personal data pertaining to them. Although this is an EU regulation, it extends to data that pertains to EU citizens where it is stored in non-EU jurisdictions.
In practice, this will require a level of information management with the capacity to look inside databases, documents and other repositories wherever they are in the world to identify where an EU citizen's personal information may be recorded. Then, companies will need processes that allow them to selectively destroy that data from every location where it may be stored in their systems and network whenever an EU citizen has demanded it.
Setting a strategy
Creating a robust data sovereignty policy for your company starts with data classification.
Being able to manage the challenges of data sovereignty begins with knowing what data you have and where it is stored. Given the volume of data most companies hold, this may seem to be an impossible task, but there are tools that can interrogate your systems and network and tell you what you have and where it is stored.
That report might look like an insurmountable list, but it can be used to highlight the magnitude of the problem to management and prioritise where to start. Then you can break the task into manageable chunks. Start with your highest risk business functions or a new application. Then move to another part of the business.
When choosing new service providers and systems, it is important to consider the portability of your data. With regulations around the world changing, it may become necessary to move data, either out of one jurisdiction to maintain compliance or to a different service provider. Avoiding vendor lock-in is critical.
Data sovereignty is a critical issue, particularly for multinational organisations. Knowing what data you have and where it is stored, and having robust processes for managing that data, is critical. Rules are changing globally, so having a robust and flexible approach will help keep your company on the right side of the regulators.