Where is your data? This was a simple question to answer not too long ago, when you could simply point to a server. Today, it’s far more difficult, and not simply because of “the cloud”.
Businesses do not build their online presence overnight. It grows as the company grows and new needs arise. More developers get involved, and data flows may not be as clear as they once were. Once a business becomes a multinational, the problem can quickly get out of control. Add all this in with political uncertainty and the software tools available today – it makes it very difficult for companies to try to innovate while maintaining data governance across all websites and web applications.
So, what is data sovereignty?
Data sovereignty is the concept that data is subject to the laws of the country which it is processed in. In a world where there is a rapid adoption of SaaS, cloud and hosted services, it becomes obvious to see the issues that data sovereignty can have.
In simpler times, data wasn’t something businesses needed to be concerned about and could be shared and transferred freely with no consequence. Businesses that also had a digital presence operated on a small scale and with low data demands hosted on on-premise infrastructure. This meant that data could be monitored and kept secure, much different from the more distributed and hybrid systems that many businesses use today.
With so much data sharing and lack of regulation, it all came crashing down with the Cambridge Analytica scandal in 2016, promoting strict laws on privacy.
Q&A: Splunk EMEA VP discusses European perceptions of consumer data
The emergence of GDPR and other governmental legislation
The concept that data may be subject to the laws of more than one country presents mounting challenges for organisations. The General Data Protection Regulation (GDPR) is one such regulation that sent shockwaves throughout the world of IT. The regulation applies to the processing of EU residents’ personal data, regardless of where that processing takes place. If a company is not GDPR compliant, it risks regulatory fines of up to €20 million or 4% of global annual turnover (whichever is greater).
Fines are no empty threat either, over the course of 2020 more than 220 fines for GDPR were handed out. Though even with this threat, many companies still struggle to manage their own data strategy.
GDPR was the first major data compliance regulation but is not the only one. As businesses operate more internationally, they will need to be aware of the data policies from the region they are collecting from and where they are storing it.
Cloud adds complexity
When dealing with on-premise infrastructure, governance is clearer, as it must follow the rules of the country it’s in. However, when it’s in the cloud, a business can store its data in any number of locations regardless of where the business itself is. It’s down to the business to make sure it is aware of where the data is being secured and that it is compliant wherever it is.
Many small businesses take advantage of the cost savings associated with large cloud hosting providers such as Google and Microsoft. When looking at this in the context of sovereignty, it begs the question over who is responsible for its governance. To make matters more complicated, cloud vendors don’t always inform customers of the regulatory stakes of selecting one cloud region.
Azure for example operates on a shared responsibility model where depending on the service a customer is using they could be part responsible for a breach or misuse of data. As cloud usage increases, it’s important for teams to be fully aware of their responsibilities to avoid any issues.
It’s time to double down on cloud adoption
What can businesses do to make sure they don’t get caught out?
Gartner predicts that cloud spending will reach $332 billion by the end of 2021, so with more complexity in the future and likely more regulation, businesses will need to get a tighter grasp on their data. Here’s a few ways that they can do this:
- Ensure that their cloud service provider is not duplicating data: Evaluate the relationship with the cloud vendor and see where the data is being stored. While the vendor may be responsible for the security, it may not own other responsibilities.
- Check that any overseas data complies with local laws and the laws from its source: GDPR covers data from EU citizens so even if its overseas it must be compliant.
- Check if the data needs to be identified: If it’s not necessary to know any identifying data for safety it should be deleted.
- Backup: Backup is important, and any loss of data could result in a fine.
As countries begin to adopt more complex data governance policies, the job will be on CTOs to navigate through this complexity and make sure that they have an accurate view of the whole business cloud environment, to ensure they are secure, compliant and responsible. Ultimately, selecting the right partner that offers solutions that combine performance, price predictability and total sovereignty over data to support growth is imperative.