Data Sovereignty: Everything You Need to Know

“What’s data sovereignty? Is it the same thing as data privacy? What about data sovereignty vs data residency?” These are questions that plague many business owners, especially when you consider the cost of non-compliance. But achieving compliance can be challenging when you aren’t sure what rules you should be complying with.

For example, imagine you operate your business out of the United States. You work with a Canadian cloud infrastructure provider, which operates servers in multiple countries including Germany, the United Kingdom, and Australia. Your business also has customers all over the globe, including the European Union, India, Egypt, Brazil, the United States, and more. What country’s regulations should you comply with in terms of data protection? Should you be in compliance with all of them? Is that even possible? You can see how this gets complicated, fast.

This is where data sovereignty comes in.

What is data sovereignty?

Data sovereignty isn’t a law or set of regulations itself, but the idea that data is subject to the laws and governance structures from where it’s collected. In other words, a business based in the United States will still have to comply with the European Union General Data Protection Regulation (GDPR), and any other local data laws, if customer data was collected from, say, Italy. Likewise, if they collected data from a customer located in California, the same company also has to comply with California Consumer Privacy Act (CCPA).

Understanding this concept is essential because data sovereignty laws can vary a lot from region to region. Things can definitely get complicated when you consider that over 100 countries now have laws connected to data sovereignty.

For example, when one thinks of the European Union, the GDPR automatically comes to mind. This law applies to all countries in the European Union and includes a wide range of data regulations, including ones pertaining to data sovereignty.

And in Canada, data sovereignty laws state that even if a company transfers data to a third party, they are still responsible for its protection. Canadian businesses have to provide details about how they will handle this in their procedures and privacy policies if they transfer data to other parties outside of Canada.

The GDPR states that any company collecting or processing the personal information of EU citizens must store that data within the European Union, or in a territory with similar levels of data protection. Companies also have to abide by the GDPR’s rules if they are handling the personal information of European Union citizens, regardless of where data is stored, collected, or processed.

Data sovereignty: A little history

There have been several events over the last 20 years that have increased interest in the safety and privacy concerns of the average person’s online data profiles. Of note, the infamous Snowden leaks revealed an (illegal) pattern of US spy agencies turning their monitoring capabilities on their own citizens, as well citizens of other countries. Known as PRISM, it collected sensitive personal data, such as social media login credentials, emails, photos, and video calls from technology companies located in the US.

Another concern was the creation of the post-9/11 Patriot Act, which, among other things, empowered US government agencies to access any data stored physically within its borders, no matter where it comes from. In other words, if a Dutch citizen’s personal information is stored on a server located in the United States, the US government can access it whenever they like.

These might be two US examples, but they are not alone in moves to increase access and surveillance of data within or transiting their borders. As a result, countries worldwide have pushed back, enacting data protection rules to prevent their citizens’ personal information from undue risk.

Data sovereignty vs data privacy vs data localization vs data residency (!)

It’s not difficult to get confused with all these terms. Some of them are often used interchangeably, even though it’s not accurate. Let’s try and clear that up.

Data sovereignty

In simple terms, data sovereignty defines whose rules and regulations data should be subject to. For example, the European Union specifies that data collected from its citizens are subject to the GDPR, regardless of where it is stored.

Data privacy

Data privacy is the core idea that individuals have the right to control how their personal information is collected and used. It’s from this idea that rules, practices, and data sovereignty laws have been developed to ensure that any information people share will only be used for its intended purpose.

Data localization

Data localization refers to another central data handling concept, that any data on the citizens or residents of a nation must be collected, processed, and stored within the country’s borders. That data can usually only be transferred to another country after it has met local data protection laws, like needing to obtain users’ consent to utilize their data in specific ways.

Data residency

Data residency refers to the geographical location where a company decides to store its data. This choice can be based on government policies or regulations, but leaving data closer to the locations it will frequently be used will help optimize networks, and having backups in multiple locations globally is a standard security practice.

Usually, these regulations are concerned with companies justifying where customer data lives, and justifying they aren’t conducting too many of the company’s core activities outside of that country (for, say, tax advantages).

Why should this matter to you?

The old adage, “ignorance is no excuse for the law” still applies. Data sovereignty essentially compels businesses to develop solutions that ensure they comply with relevant data privacy and security laws. Not abiding by the regulations in the areas where you collect, manage, or store customers’ data can lead to significant fines or other enforcement actions. Undoubtedly, cloud computing has made data sovereignty more challenging for businesses, but it’s much easier to design an effective system when you understand the implications.

For example, when you understand how data sovereignty works, you can decide where it’s most feasible to store your data, but you’ll also be aware of your responsibilities for the data you possess. The more you know, the easier it will be to control operational costs and avoid unpleasant surprises.

Data sovereignty: The challenges with compliance

Considering that over 100 countries have data sovereignty laws, things can get complicated. This is especially true for larger companies that are more likely to be working with data from multiple territories.

Common challenges with achieving compliance include:

• Changing laws. Data sovereignty is still a pretty new idea, meaning that relevant laws tend to evolve quickly as countries discover navigate new situations. These changes aren’t always negative, but they can still make the environment challenging for businesses to remain reactive.
• Business growth. A business that expands beyond its own borders should be a reason to celebrate. However, it also makes things more complicated when it comes to data. The more data a business collects, and the more territories it operates in, the more challenging it will become to determine which data sovereignty laws it needs to abide by.
• Data mobility. Simply put, data mobility means getting data where and when you need it. Data sovereignty laws can inhibit that mobility. It can mean additional restrictions on how businesses can move data between two countries. It can also mean that specific cloud locations and services cannot be used. There might also be rules regarding the degree of encryption for data while it’s in transit and at rest. This brings up issues such as data transfer methods, related cyber protections, and network system and security.
• Technological transparency. To prove that you are complying with data sovereignty laws, you have to be prepared to detail how you handle your clients’ sensitive data.
• Cloud Infrastructure. Cloud infrastructure is often dispersed over multiple territories, which can make data sovereignty an issue. If you aren’t careful, you might find that your cloud deployment extends into countries with different data sovereignty laws. Certain data sovereignty regulations also dictate where data can be processed, which could limit your choices in terms of cloud services.
• Higher Costs. Data sovereignty laws could result in higher operational costs. For example, you might have to provide additional internal training to ensure that everyone knows the rules you have to comply with. It might also be necessary to change how you collect, store, and process data to ensure that you are accommodating all the relevant rules and regulations. You may even have to make repeated changes to maintain compliance due to the speed with which laws are still evolving.

Data sovereignty best practices

Applying data sovereignty practices to your business can be challenging, especially when you add cloud infrastructure to the mix. Companies need to be aware of the legal and regulatory environment and maintain full compliance by implementing cloud data sovereignty best practices.

Work with major cloud providers

Many customers turn to major cloud providers like AWS and Microsoft because they can safely rely on them for data sovereignty compliance. Yes, cost, flexibility, and availability are all factors, but so is data sovereignty.

Many of these providers operate in-country data centers, ensuring the first rule is followed. They also offer a variety of other features, including strong encryption and security services, that help customers achieve compliance with local data laws.

But remember: don’t just rely on your cloud providers to make you compliant. They offer you the tools, but it’s your responsibility to use the right ones.

Keep things simple

Any business operating on a global scale will face challenges when it comes to ensuring compliance over multiple territories. That’s why it’s critical to simplify. One way to do this is to uniformly implement measures that make you compliant with the strongest data protection laws. If you abide by the most rigid rules in all territories, you are far less likely to fall afoul of local regulations.

By taking the most robust approach to data protection and sovereignty rules, you also have to make far less frequent changes to ensure compliance, which will help with costs.

Know where your backups are

It’s imperative that you’re always aware of where your backups are being stored—because they’re also subject to data sovereignty laws. So, inventory all your backups to ensure you’re in the clear. This could either mean complying with local regulations, relocating the backups, or destroying them.

---

How does Auvik handle data sovereignty?

Auvik is very open about the how, what, and where we handle our customers’ data in our Privacy Policy. Auvik is hosted on Amazon Web Services, which means that we have access to many of the tools we need to ensure compliance with data sovereignty laws worldwide.

Auvik also works with sub-processors and content delivery networks. A sub-processor represents a third party that works with Auvik to process data in different regions. For example, Auvik uses AWS sub-processors for data storage in the United States, Ireland, and Germany. Data is stored in the best region for your location.

We provide a complete list of Auvik sub-processors, along with their purpose, location, and a description of the legal safeguards in place on our website.

For more detailed information about Auvik’s network and data handling policies, you can read all about it in our network system security whitepaper.

Auvik is not only one of the fastest and easiest to use cloud-based networking monitoring and management systems in the world, but it’s also one of the safest. Ready to find out more? Get your free 14-day Auvik trial.