Data Sovereignty: Protecting Your Data in a Globalised World
Data breaches have become an all-too-common occurrence, affecting even the biggest tech giants. In fact, in just Q1 of 2023 we’ve witnessed more than 6 million data records being exposed worldwide.
For organisations, it’s no longer enough to focus solely on IT security or Network security; they must also prioritise data governance. One crucial aspect of data governance is data sovereignty, which refers to the laws and regulations that govern data storage and processing. As punitive regulations for data breaches continue to emerge, the responsibility for data sovereignty falls heavily on the shoulders of management.
Below, we explore the concept of data sovereignty and why it’s essential for organisations to understand and address it. Highlighting the implications of transferring data between different countries, the role of Managed Service Providers (MSPs) in data governance, and the potential risks and costs associated with data breaches. To heighten the importance of data sovereignty and how it can safeguard both your organisation and its data.
Who Has Data Ownership?
The increasing enforcement of global data protection regulations means data sovereignty has become a huge concern. Essentially, data is subject to the laws and regulations of the country where it is stored or processed. Some countries have extended the concept of data sovereignty to include the use of data relating to its citizens and businesses anywhere in the world. And the penalties for breaching this regulation include a prison sentence.
Managing, storing, and transferring data across borders has become more challenging as cloud storage and multi-country data processing become the norm. This complexity is further compounded for organisations using MSPs for their infrastructure needs. In the event of a data breach when an MSP is involved, liability is shared between data owner and data processor (MSP).
The Endemic Confusion
Unfortunately, the issue of responsibility and data ownership often causes confusion and significant costs for both MSPs and businesses. In our own research we found that many businesses are simply handing over responsibility to an MSP – and expecting the provider to pick up the financial cost should a data breach occur. Companies employing third party organisations to deliver security policies expect MSPs to cover 48% of the costs in the event of a data breach. Astonishingly, 73% of MSPs also consider themselves responsible for paying fines and damages and believe they should pay 51% of the costs.
This unsustainable approach is causing MSPs to turn away business due to the risks associated with their clients’ data. This should be a wake-up call for businesses. If a reputable MSP refuses a contract, organisations are left with limited options: either find another MSP that will likely increase prices to mitigate risk, or settle for a provider with a less robust approach to risk assessment and management.
Separation of Duties
To address the challenges of data sovereignty and establish a secure data governance framework, organisations must embrace a separation of duties and prioritise data security over perimeter security. This can be achieved through encryption measures that restrict access to Personally Identifiable Information (PII) to intended recipients, regardless of their geographic location. Additionally, European Union (EU) guidelines emphasise that the data owner should own and manage encryption keys, reinforcing the regulatory push for a separation of duties.
By adopting this approach, organisations acknowledge their responsibility as data owners to protect their organisations data. In turn, MSPs or other infrastructure providers can focus on delivering efficient data transportation services without the burden of managing and securing data that they have no control or knowledge over. This not only clarifies the lines of responsibility but also simplifies contract negotiations, reducing costs and resource consumption.
Schrems II Compliance
Separation of duties also helps organisations navigate data sovereignty concerns, particularly in Europe where data transfers to the US continue to raise questions under the General Data Protection Regulation (GDPR). The European Court of Justice’s Schrems II judgement highlights the potential risks associated with transferring data from the EU to the US. Meta, for instance, faced a record 1.2 billion euros ($1.3 billion) fine and an order to halt the transfer of data collected from Facebook users in Europe to the United States.
This case sets a precedent, emphasising the need for organisations to take a data-first approach and implement policy-based encryption to protect privacy, data, and effective judicial protection rights.
By adopting encryption measures and ensuring that PII is only accessible to intended recipients, organisations can achieve virtual data sovereignty, overcoming geographic constraints and compliance challenges.
Data sovereignty is a critical aspect of data governance in a globalised world. By prioritising data protection through encryption and adopting a separation of duties approach, organisations can effectively address the challenges posed by data sovereignty and ensure compliance with regulations like GDPR.
Organisations need to recognise the importance of data sovereignty and take proactive steps to safeguard their data. By doing so, you can ensure compliance, mitigate risks, and maintain the trust of your customers and stakeholders in an increasingly data-driven world. Cyber security is not just about IT, it is about data governance and the responsibility for that rests firmly with management.
For more information on Data Sovereignty check out our latest white paper here.