Data remains the heartbeat of every organization. The complexity of collecting, processing, storing, and securing an organization’s data continues to grow. Data sovereignty increases that complexity by enforcing local regulatory and compliance laws. These laws often apply to the data collected within a certain region. In a tactical example: if a global organization is collecting data within three different countries, the data collected within each country will be subject to their independent laws and regulations. One year ago, my colleagues at Veritas produced a blog that remains true today – The Ins and Outs of Data Sovereignty | Veritas.
Data sovereignty is continuing to develop with new regulations, geopolitical impact, and the evolution of data management tools. As I travel globally and listen to our customers’ myriad of security concerns, I have repeatedly heard them articulate a focus on data: its ownership, location, and the shifting regulations that present business risks.
On a recent customer trip to the South Asia Pacific region, it was clear that data sovereignty is a top-of-mind concern. I sat with the CISO of a private-sector financial institution who relayed the criticality of cloud data. Their concern was regarding where the hardware physically resided, and the national origin of the cloud storage company. Data sovereignty was a consideration for this CISO both in terms of security, but also in terms of regulatory compliance and ultimately, business risk.
To level set on some of the industry terms, it is important to differentiate between data sovereignty, data residency, and data localization. Data sovereignty is all about data control and the laws of the nation where it is collected, stored, and moved. Data residency concerns the geographical location of data storage and processing. Data localization refers to laws or regulations for data to remain within a specific location and jurisdiction. Our focus in this blog is data sovereignty.
In Europe, the General Data Protection Regulation, GDPR, is one of the most notable data sovereignty policies, however, it does not cover all 120 countries with data protection policies today. According to UNCTAD, nearly 71% of countries have implemented laws and regulations regarding the privacy and protection of data. For example, Singapore has the Personal Data Protection Act. As noted by the Personal Data Protection Commission of Singapore, this act “recognizes both the need to protect individuals’ personal data and the need of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.”
The purpose of data sovereignty laws is primarily to safeguard citizens’ personal and sensitive data. It should also be noted that some data sovereignty policies are also intended to help advance a particular nation or region as a global business adversary.
Being a global organization, we at Veritas understand the vast implications of data sovereignty. Two of the most obvious effects include resources and complexity. Many organizations have hired dedicated compliance and data protection officers to keep up with the evolving regulatory requirements. Proper staffing doesn’t end after hiring and onboarding. It is critical to provide these specialists with current training in cyber security. This ensures that these legal and compliance specialists are safeguarding data, as well as complying with the law.
While staffing and training are two areas that can be costly, it is far more responsible than remaining ignorant or being fined for data sovereignty violations. While the shared responsibility model focuses on the security and compliance of data and applications, a transparent relationship with all cloud service providers, CSPs, is paramount in identifying where their servers are hosting data. Such diligence leads to increased complexity. Inconsistent regulations from one country or region to another further increase the complexity – as well as security risk – of doing business globally.
Applying a holistic view of the organization’s data structure and value helps clarify requirements for storage, retention, backup, and recovery. For example, storing all data in one location increases the risk of a cyber threat. However, the more locations storing data, the higher the cost and complexity. This generates the need for a risk-based management approach to weigh the trade-offs concerning a more secure, distributed data storage strategy within the guardrails of data sovereignty and locality.
How do large-scale artificial intelligence, AI, models affect data sovereignty? Obviously, machine learning requires a large volume of data. The organization needs to consider the origin, location, and storage strategy, for that data. Such factors add both complexity and cost. As my colleague, Varun Grover, discussed in a previous blog, the enablement of a machine learning model to access the organization’s data can be a powerful tool. It inherently creates a data sharing network within the organization. This flow of data must be managed with data sovereignty and compliance from the beginning. Imagine the need to develop AI models that are independently held within geographical regions with strict data sovereignty requirements. It’s important to consider how the organization’s AI strategy intersects with data sovereignty both in execution and cost.
Here are some guiding questions for you to consider when dealing with data sovereignty regulations. When it comes to customer data:
Being able to answer these questions is a critical component to ensuring full visibility to create a data sovereignty plan.
Data sovereignty is a pivotal aspect of the evolving digital landscape. This affects how nations, organizations, and individuals manage and protect data. Adhering to data sovereignty regulations requires robust data governance, compliance, and technological innovation. Data will continue to drive innovation and transform industries. With that, data sovereignty will remain integral to fostering trust, transparency, and security.
Veritas takes trust, transparency, and security very seriously. To learn more about our trust practices, visit our Trust Center | Veritas. We ensure, through rigorous product design and third-party validation, that our customers data is being handled with integrity and in full compliance with industry standards. To learn more about our compliance practices, visit Compliance | Veritas.