Blog/Infosec 101/

Here’s what you need to know about data sovereignty

Jan 06, 2021

More and more companies are moving their business operations to the cloud, but its security measures are usually lacking. This means that high-profile data breaches are hitting the news more often than ever before. Therefore, governments around the world are taking matters into their own hands and passing extra regulations to control how businesses manage their users’ personal information. That’s where data sovereignty comes up.

What is data sovereignty?

Data sovereignty is a concept that data is subject to the laws in the country in which it is physically stored. So, what makes the term complicated?

With so much data stored in the cloud, it’s not always obvious where exactly that data is stored. A lot of users might find this unsuitable – people usually want to know how, where, and why their data is stored. But businesses face different challenges too. They must adhere to regulations in all the different countries whose datacenters they use, as well as comply with data privacy laws in the locations they operate in. This might require a significant amount of time and money, especially if some of those regulations suddenly change.

For example, when the recent European data protection law, the GDPR, was implemented, a lot of businesses had to significantly change the way they collect, handle, and store their European customers’ data. Even if none of it is physically stored in the European Union.

Why is data sovereignty important?

When you sign up for a service, your data isn’t necessarily stored in the same country that the service provider is based. That’s because cloud storage architecture is distributed, so you may never know where your data will physically end up. And different countries have different laws when it comes to data privacy and the government’s right to access it.

Therefore, the term “data sovereignty” covers not only the laws that the data is subject to but also the measures meant to restrict businesses from transferring people’s information to other countries and misusing it in any way.

Data sovereignty laws ensure that businesses can’t collect, store, share, and sell people’s data without their expressed permission. So, which countries have data sovereignty laws? Surprisingly, few. Apart from the EU’s GDPR, data sovereignty laws are implemented in Canada and Australia. Unfortunately, only a handful of US states have them.

Data sovereignty vs data residency vs data localization

These three terms are often used interchangeably. However, they are not the same thing.

Data residency is when a company or a government agency specifically indicates where they store their data. Companies might declare data residency for transparency when they wish to take advantage of certain regulations available in other countries. For example, NordVPN is legally based in Panama so it doesn’t have to adhere to any data retention laws and collect its users’ logs.

Data localization is the requirement that data created in a country must stay there. Localization laws usually demand that at least a copy of personal data is stored in the country so the government can easily access it if needed. In some countries, like Russia, data localization laws are stringent – all information must be stored in data centers within the Russian Federation. In these cases, data localization requirements are usually a way to control people’s personal data and use it for surveillance.

Data sovereignty and the cloud

For businesses that deal with cloud technology, whether they use a multi-cloud strategy or are customers or providers of cloud computing solutions, data sovereignty is a very complicated issue. If they use multi-cloud infrastructure to distribute their assets and storage among multiple cloud hosting services, they might need to comply with multiple data sovereignty laws.

If your business uses cloud computing technology, there are some things you must discuss with your provider. First of all, you have to find out where your data will be stored and what laws you must comply with. Make sure to find out what the local government bodies will be allowed to do with the data stored in particular countries or states.

When looking for a cloud computing provider, it’s also worth considering things like: Will you be able to request a specific location? Will your provider be allowed to move your data without notifying you? Will there be copies, and, if so, where will they be stored?

And, finally – will your data be secured, and how? If you use cloud storage for your clients’ data, its security is your top priority. Whatever cloud computing solution you use, you can always step up your safety measures by using NordLocker. With it, you can encrypt your files stored locally or in the cloud. This way, even if cybercriminals, government agencies, or other third parties try to access them, they wouldn’t be able to read the contents.

Oliver Noble

Oliver Noble

Verified author

A nerd with a laser focus on all things cybersec. His own words. Oliver’s hobbies away from the computer include reading, Netflix, and testing the limits of yet another Raspberry Pi. To our surprise, this 130-pound ‘nerd’ also bakes a killer pumpkin pie.