With the emergence of global data privacy regulations such as GDPR, organizations that collect personal identifiable information (PII) must answer a new question: is data subject to the local laws of the processor or the person?

Data sovereignty refers to the concept that the data an organization collects, stores, and processes is subject to the nation’s laws and general best practices where it is physically located. Closely connected to this concept is data localization – the idea that data should be processed locally and remain within the borders of the jurisdiction where it originated.

As there is no clear cut guide on how to effectively navigate the patchwork of global data protection regulations, organizations are increasingly adopting data localization policies believing this approach will not only ensure regulatory compliance but strengthen data protections. However, this approach is not without its own risks. 

To start, determining data sovereignty is not always as clear cut as it seems. For example, if a company based in Germany uses a U.S. based cloud provider such as Google, the data is subject to U.S. law even if the data is still physically stored in Germany. In this example, if Google were to be subpoenaed by the U.S. government to supply them with this data, they would have to comply. 

One real world example of this is Tik Tok which stores its data in Singapore and the U.S. so that it can’t be subpoenaed by the Chinese government. However, its parent company, Bytedance, is based in Beijing and thereby subject to intelligence requests by the Chinese Government as is any data Tik Tok shares with them. 

Secondly, hard data localization policies disrupt global data flows. For organizations that manage a large number of transborder activities such as financial institutions, pharmaceutical companies, airlines and even hotels, this can pose major operational challenges. 

Last but not least, setting up data centers in every country where one does business is not realistic for many global companies. Not only would this approach be incredibly expensive, but not all countries have the infrastructure or regulations to support such endeavors. In such environments, risk of data breach could actually increase. 

Data Sovereignty Solutions 

One of the simplest and most straightforward data sovereignty solutions is encryption. Data encryption protects data by converting readable, plaintext data into an unreadable, encoded format known as ciphertext. Authorized users can unscramble encrypted data using a key.

Thinking back to the example we mentioned earlier of the German-based company and Google. If the data were to be encrypted, Google technically wouldn’t have access to it and therefore the data would no longer be subject to U.S. subpoena power. 

Even with encryption and other forms of data masking, data sovereignty due diligence and planning must be built into one’s multi-cloud strategy. The CISO must partner with both stakeholders and cloud providers to determine which data should be stored where not only based on costs, but security and accessibility as well.

Leave a Reply