Data Sovereignty and the GDPR; Do You Know Where Your Data Is?

Blog02142019As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected in a particular country must stay in that country. They argue that it’s in the Government’s interest to protect their citizen’s personal information against any misuse.

Data collected here stays here

For example, countries like Russia, Germany, France, Indonesia, and Vietnam, to name a few, require that their citizen’s data must be stored on physical servers within the country’s physical borders.

Certain United States federal agencies require that data under their control be stored exclusively within the United States. Australia has defined a legal framework with its updated Australia Privacy Act on how its citizen’s data should be stored and controlled. Europe’s General Data Protection Regulation (GDPR) also restricts companies from transferring personal data that originated in the EU to any country with inadequate data protection laws. To enable data transfers to the U.S., the U.S. and EU developed the Privacy Shield Scheme which enables companies to self-certify that they meet the EU security requirements.

The Privacy Shield’s main purpose is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The Privacy Shield was developed as a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. An up to date Privacy Shield listing of companies can be found here.

Data Sovereignty and the GDPR

The GDPR sovereignty requirements apply directly to the collection and processing of EU residents’ data, regardless of where that processing takes place. Additionally, it applies to both data controllers and data processors, so, whether your organization uses or provides a cloud service that processes EU residents’ data, you are directly affected.

Chapter V of the GDPR states that personal data can be transferred outside the EU under (only) two circumstances:

  1. On the basis of an adequacy decision (Article 45): Under the GDPR’s predecessor, the Data Protection Directive 1995, transfers of personal data to a third country (one that is not an EU member state), a territory, or an international organization may take place only if the European Commission has decided that there is “an adequate level of protection”.

To date, the Commission has adopted 12 adequacy decisions – with Andorra, Argentina, Canada (for transfers to commercial organizations that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA)), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified to the EU–US Privacy Shield).

  1. When subject to appropriate safeguards (Article 46): If there is no adequacy decision, controllers or processors may transfer EU residents’ data to a third country or an international organization if they provide appropriate safeguards and “enforceable data subject rights and effective legal remedies for data subjects are available” (Article 46).

Data Sovereignty and SaaS usually don’t mix

Many cloud platform providers are not designed with data sovereignty in mind. For example, many Software as a Service (SaaS) platforms are mostly designed around a single data center – meaning SaaS cloud service subscribers agree to have their data moved up to the vendor’s cloud, usually at one location. These SaaS cloud sites are usually located in only one country.

The impact of global laws with stricter data sovereignty requirements will drive SaaS cloud platforms to develop data centers in multiple regions, raising their costs, in order to store data locally and minimize the impact of new data sovereignty regulations.

Data gravity, data sovereignty, and the cloud

Data gravity is a metaphor that large data sets and applications are attracted to each other, much like the attraction between objects. With the increasing adoption of enterprise data analytics, as data sets continue to grow in size, they become harder to move. At some point, large data sets need to stay put to enable seamless processes, preferably in a compliant cloud so large data sets no longer need to be moved.

As organizations mature in their analytics practices, they find that analytics becomes unwieldy. With massive amounts of data spread across different enterprise storage systems, it can be difficult, costly, and risky to move that data to their analytics clusters. These barriers become even higher if you want to run analytics in the cloud on data stored in the enterprise, or vice-versa. These new realities for a world of ever-growing data sets point to the need to design enterprise IT architectures in a manner that reflects the reality of data gravity or alternatively, consolidate your data in a cloud platform where the analytics capabilities reside (and which includes data sovereignty guarantees).

To read more, please click here

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s