What is Data Sovereignty and how does it apply to your business?
Oracle, a renowned database management system, stated how “the exponential growth of data crossing borders and public cloud regions [has seen], more than 100 countries now have passed regulations.” This is of course pertaining to the access and control of information across countries.
Critics have long posited that governments seek to regulate commercial use of personal data despite the absence of clear rules governing public use of the same. But this may soon to be put to rest as countries around the globe adopt localized laws concerning data in general.
This, at a glance, is the principle of data sovereignty. What is data sovereignty exactly and how does it impact the course of your organization, specifically on your choice of a cloud service provider?
Data sovereignty: basis and definition
The concept generally refers to government directives in preventing their citizen’s personal data from exploitation through some form of restriction against inter-border transfers.
Much like in the industry of traders and merchants, organizations with data crossing borders via the internet are expected to comply with every reginal restrictions. Failure to do so entails sanctions and ultimately, hefty fines. This is why it is important for organizations to have a Data Protection Officer (DPO) to oversee the cybersecurity hygiene of the organization, to ensure the data protection compliance, and to avoid the consequences of data breaches.
A great example that comes to mind is the General Data Protection Regulation (GDPR) in the European Union. The GDPR regulates data privacy in the European Union and the European Economic Area including the transfer of personal data, giving the citizens the right to know how their private information is collected, used, and disclosed. A direct counterpart in Singapore is its Personal Data Protection Act (PDPA)
This brings as to cloud transfers and sharing of information.
Coping with cloud computing
Organizations that put their data into the cloud must exercise caution to avoid storing data in locations with data sovereignty laws. Knowing what is data sovereignty in this context could be crucial in ensuring full legal compliance, especially when more and more countries are passing strict regulations on data storage and data transfer.
It is highly recommended to ensure that your cloud provider offers an airtight cybersecurity protocol; whether in the event of a data breach or the need of data destruction.
Data residency should be strategic
All data has to be situated somewhere. But this may be paradoxical as the essence of cloud computing is to create anytime-anywhere access to information and systems. This may pose a challenge especially in countries with strictest data sovereignty laws. In Germany and Russia for example, private personal data of citizens’ are required to be stored on physical servers inside their physical jurisdiction.
While you may opt to leave compliance with this guideline with your cloud service provider, you should still do your research. Partner only with a provider whose data center locations affords compliance with applicable data sovereignty laws.
A thorough background check ensures this. In Singapore the Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584 certification can give you confidence that your cloud service provider is qualified to handle highly sensitive data.
Data processing and data access go hand in hand
When you know what is data sovereignty and the primal role of data processing on adherence to such concept, you would realize how it goes hand in hand with data access.
It is important to note that any result of a server CPU processing is typically written back to data storage. Thus, the data processing service of your provider must be within your region. For example, once you upload any document to your service, do you know in which location the anti-virus scan is performed? How about the transmission paths, are you sure that they do not go beyond region boundaries? These are the important questions to ask and clarify with your cloud provider.
Verily, access to your data must always remain privileged. As precautionary measure, you should only grant temporary access to qualified employees, including your cloud provider’s personnel. And when giving such authority to the latter, ensure that they practice care in handling sensitive data pursuant to any regulatory requirements in force.
With the global direction on implementing data sovereignty as means of protecting citizens’ data, your organization should remain flexible when it comes to data handling and transfer.
Laws and regulations were never meant to bar the progress of effective information exchanges, as they merely regulate the same.
With the proper research and choice of cloud service provider, working through data sovereignty concerns will never be a hurdle.
Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.
PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.