Hot Topics
Cyberlaw Cybersecurity Data Privacy Data Security Security Boulevard (Original) 

Don’t Ignore Data Sovereignty

Avatar photo by Onur Oezen on September 22, 2023

The amount of data we generate and consume is exponentially growing. In 2021, 2.5 quintillion bytes of data were created every day. From 2025, this figure will be 463 exabytes of data.

As data volumes grow, governments are attempting to create frameworks to protect privacy and impose some form of control. These changes are crucial, yet they pose a significant challenge for organizations. If a company is operating across territories, they must come to grips with the different data sovereignty rules in each region to ensure they are always compliant with local laws. One misstep—unintentional or otherwise—and you’re in breach of the law. And a breach can mean more than a fine: It can destroy reputations and trust.

So what does data sovereignty mean for organizations and what’s the best practice for ensuring compliance?

The Importance of Data Sovereignty

Put simply, data sovereignty means ensuring digital data and information is subject to the laws and governance of the country it’s collected in. Wherever your customer is based, if you collect data from them, you must comply with that country’s data protection laws.

137 of the 194 countries around the world have legislation in place to secure the protection of data and privacy. For instance, Europe famously has its GDPR, approved by the EU Parliament in 2016, to provide data sovereignty for all EU members. Saudi Arabia’s first data protection law, the Personal Data Protection Law, was introduced in 2021 and India is currently progressing its Digital Personal Data Protection Bill. Even the U.S. is shifting to a stricter approach: Following California, Colorado, Connecticut, Utah and Virginia are set to introduce new GDPR-style rules in 2023. Of course, there are other data laws to simultaneously bear in mind. The U.S. Patriot Act allows for any data stored in the U.S. to be accessed by government officials, regardless of where in the world that information originated. Additionally, the CLOUD Act gives the U.S. power to request data from U.S.-based communication service providers and remote computing service providers, even if the data is stored beyond U.S. borders.

Non-compliance comes with a heavy cost. Meta was recently handed a record €1.2 billion fine for violating GDPR laws and companies such as H&M, British Airways and Clearview AI have also faced heavy financial penalties for privacy breaches. Then there’s the reputational aspect to consider. In a market where 76% of consumers say they would not buy from a company they do not trust with their data and 84% of businesses say data privacy is the most valuable factor for them when buying software, a breach can tank customer trust and bleed business. And it’s not just your own compliance that’s critical. In an increasingly cloud-serviced world, any third-party vendors you use can represent a weakness in your data privacy armor.

Staying Compliant

Ignoring data sovereignty isn’t an option. So what does this mean for organizations?

Companies must ensure they retain data sovereignty across all three stages of data engagement: While the data is being used, while it’s being transmitted and when it’s stored, either locally or in the cloud. They need the technical and organizational capabilities to do so. Adopting a ‘privacy by design’ approach (in the same vein as security by design) is a strong tactic to achieve this. A privacy-by-design approach includes minimizing the data you collect and store, no automatic syncing, avoiding tracking and third-party selling and applying granular privacy settings.

This means tough questions for your cloud providers. Before passing over data, you must clearly understand how these providers will use the data, how much data control you’ll have and whether they themselves are fully abiding by privacy laws. Good providers will have data centers and servers in-country, fully respecting the legislation in place while being independent of foreign laws such as the U.S. CLOUD Act.

Data Sovereignty Best Practices

Still worried about compliance? Here are six top tips for maintaining data sovereignty.

Follow the strictest data protection laws

Keep things simple for yourself and be as compliant as possible for your location. It’s better to be safe than sorry when it comes to data privacy.

Check your backups

You need to know where your backups are located to see if they’re compliant. Remember, you can always choose to relocate your backups so data sovereignty can be upheld.

Work with trusted cloud providers

As discussed, it’s important to work with trusted cloud providers who have in-country data centers and servers for your location. However, it’s important also to note the legislation that cloud providers are bound by. For instance, a Google data center located in Europe is still subject to the U.S. CLOUD Act because Google is a U.S. company. Ensure you’re fully aware of the legislation impacting your chosen providers so you don’t run into any surprises further down the line.

Conduct a supply chain risk analysis

Cloud providers aren’t the only part of the data equation. With the impact of legislation like the U.S. CLOUD Act, it can be very difficult for a data owner or controller to determine whether a service or service provider has extraterritorial influences from non-European legislation. In fact, due to the number of factors and parties that can be involved in a data supply chain, it’s not possible to completely exclude extra-territorial influences. Therefore, to truly understand the risk to your data and see how you might mitigate it, it’s important to conduct a deep risk analysis for your entire software supply chain.

Stay up to date with legislation

Data privacy legislation is always evolving. You need to keep up to date with changing regulations across the territories you operate in and understand how this affects your day-to-day operations. For instance, data mobility may be restricted in some regions.

Transparency is key

Be transparent about your data privacy and be ready to demonstrate how you’re complying with data sovereignty.

In a world where data is king, data sovereignty is crucial. Ensure compliance now and avoid painful penalties and reputational damage further down the line.

Onur Oezen , , ,
Avatar photo

Onur Oezen

Onur is the CEO and a co-founding member of RealTyme, a secure, sovereign, sustainable communication and collaboration platform. Mathematician, cryptologist, and a humane technology enthusiast who is passionate about privacy, digital wellbeing and sustainability, aiming to design technology products for good. Onur was previously the CEO of Adeya, which merged with RealTyme in 2021 to take the robust security and privacy of Adeya's technology to the next level with RealTyme’s innovative and human empowering solutions that better suit the way people now work and communicate. He began his security and privacy expertise with his Master's in Cryptography at the Middle East Technical University in Turkey, followed by his PhD in Cryptography at the École Polytechnique Fédérale de Lausanne in Switzerland.

onur-oezen has 1 posts and counting.See all posts by onur-oezen

Secure Guardrails