Why your data needs to be under local law
Darren Hopper explains what data sovereignty is and why storing your business data locally isn’t enough to keep it safe. Data has been dubbed “the new global currency”, but it’s […]
Darren Hopper explains what data sovereignty is and why storing your business data locally isn’t enough to keep it safe.
Data has been dubbed “the new global currency”, but it’s a currency that can rapidly lose its value if companies don’t ensure they have the right protections in place.
One of the issues leaving companies and their data at risk is a flawed understanding of the concept of data sovereignty vs data residency – and how the differences between the two can impact governance and access.
Data sovereignty provides government with the means to prevent unvetted access by foreign contractors, support staff and other entities to sensitive government data; data residency does not.
Data residency designates the physical location where data is stored and is an important term for commercial and taxation purposes. Other benefits of data residency can include data performance (latency) and edge computing use cases.
Data sovereignty means the data is not only stored in a designated local location (‘local’ to you and your customers) but that it is “within jurisdictional boundaries” and subject to the laws of the country in which the data resides. Data sovereignty is an important term for regulatory and data security purposes and offers all the benefits of data residency but with additional control and legal oversight.
The difference is crucial.
It means any person whose personal data is being collected, held or processed is subject to different privacy and security protections according to where the data centres housing their data are physically located.
A report from the Centre for European Policy Studies estimated that that over 90 percent of data in the Western world is stored or processed by US-based providers. The risks associated with handing over jurisdictional control of valuable data are becoming increasingly visible to organisations.
In a recent IDC survey, 79 percent of respondents were moderately to extremely concerned about critical data being managed by US cloud providers, due to issues such as the US CLOUD Act, which gives US law enforcement authorities the power to request data stored by most major cloud providers, even if the data is outside the United States.
In Europe these concerns were behind the creation of GAIA-X, a common set of policies and rules that can be applied to any existing cloud technology, and in a recent Gartner report ‘Sovereign Cloud’ was identified as one of the key emerging technologies spurring innovation through trust, growth and change.
While hyperscaler technologies can provide their customers with assurances around data residency, these assurances can’t be extended to data jurisdiction. To be sure your data is subject to local data law you need a sovereign cloud provider to sit alongside your existing technology stack.
With hyperscalers already in Australia and soon to have a local presence in New Zealand it is important for companies to ensure they have a clear strategy for their data.
With experienced teams on the ground in Australia and New Zealand, Datacom is in a unique position to advise companies and help them protect their data and bring it under the protection of local data law. We have strong partnerships with hyperscalers including Microsoft, Google and AWS, enabling us to design and implement hybrid data strategies that leverage the benefits of both hyperscale and local sovereign cloud solutions including Datacom’s own CloudX hybrid cloud.
Five reasons to prioritise data sovereignty
1. Gaining customer trust. People are increasingly interested in how their data is being stored and protected. Government organisations offering digital services where sensitive information is processed or hosted, will not get buy-in from people if they cannot trust that their personal details will be protected and kept onshore, under local control and governance. As customers become acutely more aware of data privacy issues, they will actively source those organisations that offer legitimate sovereign data status.
2. Minimising compliance issues. If your data is housed offshore – or its housed locally with an offshore provider but you don’t have data sovereignty – then your data is subject to offshore data laws. This can create compliance headaches. You will need to be vigilant about keeping up-to-date with relevant global data privacy changes and laws, and act quickly to make any necessary changes required to ensure your business is in compliance. Maintaining compliance around your data and data privacy is not optional, so it is important to assign the role of ensuring data compliance to someone in your business to ensure it is not overlooked.
3. Reducing exposure to complex offshore data laws – and risks. Changes to overseas laws can adversely impact your data without warning. If your data is hosted with a global cloud services provider then you will need to be prepared to rapidly understand how any changes could impact your data and, critically, whether the changes present any risks or challenges to your customers’ privacy.
4. Preventing unauthorised access. Even though your data may be held locally (in your own country) if it is hosted by a global cloud services provider this means employees of that provider, who reside in different jurisdictions, can access your data and configuration details from overseas – unless you have data sovereignty. Sovereign cloud providers maintain ‘in country’ employees who are authorised to manage and support sovereign class data.
5. Controlling costs. Cost is often a factor when organisations make decisions about their data storage. But what often gets overlooked in calculating these costs is how expensive it is to get it wrong. If your data is hosted offshore or hosted locally but subject to international laws, then you need to factor in compliance costs and the potential risks around unvetted access and control of your customers’ data. Getting the right data protections in place is a smart investment.
Darren Hopper is associate director at Datacom Cloud.