What is Data Sovereignty and Data Residency?
As a business, it is critical to know precisely where your data is stored and then take the necessary steps to ensure that you are in compliance with the regional legislation. Confusing the terms data sovereignty and data residency can cost your business when it comes to regulation breaches. As such, it is important to define and understand the difference between the two.
What is Data Sovereignty?
It provides governments with the means to prevent unvetted access by foreign contractors, support staff and entities to sensitive government data. Data sovereignty can be in the form of laws and regulations such as the EU General Data Protection Regulation (GDPR) and the US California Consumer Privacy Act (CCPA).
What is Data Residency?
According to Oracle, it refers to where your data is stored geographically for regulatory or policy reasons.
Organisations have a duty to ensure they understand where their data is stored and adhere to the laws and regulations of that region, that pertain to data. Additionally, they must ensure that controls and procedures are in place to manage data breaches and the destruction of data. In other words, they are also responsible for choosing the right cloud provider that offers tight security with comprehensive protocols to ensure data protection and control.
Why are Risk Managers Concerned with Business Data Storage?
According to the World Development Report 2021 by The World Bank, global internet traffic has been estimated to reach 150,000 GB of traffic per second, a 1,000-fold increase from 2002. With the exponential increase in the speed of digital transformation, it is inevitable that more companies are exploring cloud options for business data storage. However, some of that data will be governed by regulations specific to the region in which it originated. If your business data crosses borders via the internet, you must be able to ensure that you are in compliance with the relevant regional regulations. Failing to do so can result in hefty fines or worse - which is the basic argument for data sovereignty.
With the proliferation of cloud computing, management teams are increasingly concerned about where their data is stored and how it is transferred. When speaking with CISO’s, Risk Managers and other responsible parties within the APAC region, the issue of where data is stored digitally within the Alyne Software-as-a-Service (SaaS) platform inevitably comes up.
Rightfully so, as risk management involves:
- Identifying potential threats/risks/vulnerabilities and;
- Creating a plan of action to mitigate and reduce the risk of the potential loss
Often sighted is the potential overreach that might occur as a result of the enforcement of the US CLOUD ACT - Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) that will allow law enforcement and national security agencies to access data directly from communications providers, granted international agreements are in place.
Clarifying Lawful Overseas Use of Data (CLOUD) Act
The United States Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in 2018. The Act primarily amends the Stored Communications Act (SCA) and it gives U.S. law enforcement authorities the power to request data stored by most major cloud providers, even if it is located outside of the United States. With that being said, the scope of the CLOUD Act has definitely raised concerns about the safety of business information that is being stored in the digital cloud space.
Visibility and Tangibility Should Not Be the Key Considerations for Your Data Storage Choice
On-premise data centres gave responsible individuals a sense of control and certainty because of the visibility and tangibility of a data centre, which the cloud does not. Interestingly, if your data is stored in a data centre in the UK, but the data centre is owned by a United States headquartered company, then the US Government may have the right to access your data under the CLOUD Act.
As such, as a starting point, the important consideration about your data storage should be based on:
- Where are each of your various categories of data (personal data, financial records, etc) created or processed and what obligations might this bring?
- What data would you not want to fall into a foreign government’s hands?
- Will there be a detriment if the data in question is stored outside the country?
- Where is it then stored, and who owns the data centre?
- What are your procedures for backup and what is the security or encryption of that data?
- How confident are you in your cloud partner(s) understanding of current and future data privacy regulations?
The answer in all instances from our client base is that the personally identifiable information (PII) and attachments stored in our SaaS platform are the ‘crowned jewels’ and by virtue are where the focus on data sovereignty and data residency should be applied. Addressing any level of confusion in your own business will allow you to identify the precise obligations that apply to you and interrogate your cloud service providers’ capabilities more rigorously.
Alyne’s Approach Towards Data and the Requirements around Data Security, Sovereignty and Residency
As security experts, Alyne has placed considerable thought into how we can leverage the digital cloud space to ensure we satisfy all data security, sovereignty and residency requirements.
- The Alyne Platform is hosted on Amazon Web Services (AWS) EU West 1, Heroku platform to leverage the best in class security of the hyper cloud. Alyne’s use of AWS ensures high availability.
- To assuage any concerns about data security and residency in the various regions we operate in, attachments in the form of files are stored in a local AWS S3 bucket of their choice (subject to availability in their AWS region). This satisfies the need for data sovereignty and data residency.
- Lastly, Alyne is governed by GDPR and subject to local privacy laws (California Consumer Privacy Act/ Australian Privacy Principles etc) and regulations in each of the regions that we operate(Germany/ UK/ Europe/ US/ Australia/ Singapore-APAC).
In conclusion, the increasing amounts of data being stored in the cloud have meant that organisations and governments need to place considerable emphasis on ensuring data sovereignty and residency where applicable are maintained. It should not however be an emotional argument - rather a logical analysis of what is important and must be protected, with logical safeguards employed where necessary.