Tackling the challenges of data sovereignty in a multi-cloud world
This is a guest post by Andy Ng, vice-president and managing director for Asia South and Pacific region at Veritas Technologies
The shift to public cloud adoption is alluring, driven by the promises of increased agility, improved operational efficiency, higher resiliency, and lower costs. However, as organisations transfer more workloads and data to the cloud, many have recognised the need to remain compliant with the plethora of data sovereignty regulations that exist across the globe.
So, what is data sovereignty and why do organisations need to care about it? In simple terms, data sovereignty is the concept that data is subject to the regulations of the country in which it was originally collected. Hence, if you collect data from individuals or organisations in multiple countries, you need to ensure that you process, manage, store, and dispose of that data in accordance with the laws of each country from which it was collected.
Data sovereignty is akin to international travel – when we are back at home, we must obey local laws, but when we are travelling, we are required to obey the laws of the country we are located in. If we don’t, we risk punishment. Similarly, data sovereignty implies that an enterprise that has data located in multiple countries must make sure they comply with the data privacy laws of each country or risk punishment.
For example, the European Union’s General Data Protection Regulation (GDPR) stipulates that data collected within the EU can only be transferred to a third country for which the European Commission has determined that there is “an adequate level of protection”, or otherwise where “appropriate safeguards” have been put in place. This applies to both “data controllers” (those responsible for determining why and how data should be processed) and the “data processors” (those who process the data).
In Singapore, the local equivalent here is the Personal Data Protection Act (PDPA) – the act stipulates that companies can retain personal data if it is still being used for purposes for which the data was collected. But if data is no longer needed for that particular purpose, it must be deleted. These are just two examples of over 100 different regulations governing data sovereignty globally.
Data sovereignty and the cloud
The advent of cloud has forced data sovereignty to centre stage as its dispersed nature has broken down many of the traditional geopolitical barriers limiting the storage of data across borders. The transformation to multi-cloud – where enterprises rely on not just one, but multiple cloud service providers – delivers benefits to enterprises but also serves to increase the risk that data could extend – knowingly or not – into different regions with different data sovereignty laws.
Put simply, with the multi-cloud model, organisations don’t know or can’t control where their data is ultimately being stored or where replicated copies of the data are being pushed to. Even if organisations can stipulate the country where data is stored and processed, there may be a risk that the cloud service provider could be subject to regulations that would require them to provide third parties access to certain types of data. As such, organisations could be breaking their data sovereignty and privacy obligations without even knowing it – and the impact of failing to adhere to data sovereignty regulations can be severe.
Under the GDPR, for example, the maximum fine for non-compliance is $20m or 4% of global annual turnover, whichever is larger. Just look at some of the GDPR-related fines companies have faced in the past two years. In Singapore, the financial penalty cap for breaches under the PDPA has increased from S$1m, to 10% of the organisation’s annual turnover in Singapore for organisations with annual local turnover exceeding S$10m, whichever is higher.
So, how should organisations address the challenges of data sovereignty? At the highest level, there are four basic steps:
- Map the relevant data sovereignty regulations for your organisation. Catalogue all the countries from which you collect data and conduct a thorough review of the regulations in each country that impact data sovereignty. Categorise the different provisions of the various regulations and create a map of the types of provision and the jurisdictions to which they apply.
- Conduct a data classification exercise. Review all your data repositories to understand the nature of the data stored in each one. Many will be application-specific databases, where the nature of the data will be relatively easy to classify (for example, customer records stored in your customer relationship management application). Some repositories will contain unstructured data records, which will be harder to classify (for example, SharePoint accounts). For these data stores, you will need to use file-level content-based classification to understand the nature of the data.
- Establish controls to ensure compliance with the requisite regulations. Define policies and implement technical controls to ensure that your data is processed in accordance with the regulations that apply to your organisation. These may include policies to restrict the types of data that can be moved to cloud platforms in various countries, as well as technical controls that ensure that data stored in the cloud is retained within appropriate jurisdictions or protected from access by other entities (for example, by using encryption).
- Adopt flexible cloud deployment models for backup and recovery. One key to keeping your cloud data backups from running afoul of data sovereignty lies in flexible cloud deployment models for your data backup and recovery, where you can control where the service and data are hosted. A solution with a single-tenant deployment architecture that can be provisioned in your own or the provider’s tenant in any region where your data is located is ideal. Single-tenancy means a single instance of a software application and supporting infrastructure serves only one customer rather than multiple customers. This provides the best possible foundation for a secure environment with no chance of your data commingling or migrating across borders and accidentally running afoul of data sovereignty rules.
In a nutshell, data sovereignty should be a consideration for any organisation that is storing or processing data in the cloud. Making sure your data, including your backup data, is compliant wherever it may reside is your responsibility. Never just assume someone else is doing that for you. With careful research, clear policies, and the right technical controls, you can build a compliance model consistent with the data sovereignty regulations in all the jurisdictions in which you operate.