What is data sovereignty?
Data sovereignty describes the ownership of and jurisdiction for controlling digital data. It has come to the fore because of the global transfer of digital data. The concept of digital data sovereignty has varying stated principles that revolve around data residency, data localization, data protection, and data privacy.
One point of view on data sovereignty is that digital data is subject to the laws and regulations of the country in which it is stored. This means that the data is subject to legislation in the place where it is physically located, and the government in that jurisdiction can enforce applicable data-related laws.
Another interpretation of data sovereignty directs that the protection and management of digital data must comply with the rules and regulations in the nation in which it originates. For instance, data belonging to a Dutch citizen should be exempt from United States (U.S.) data protection and privacy laws and regulations even if the data is stored or processed by an American company. Conversely, digital data originating in the U.S. should not be subject to Dutch or European Union (E.U.) rules and regulations.
The interpretation and enforcement of data sovereignty is important due to the fluidity of data generation, collection, storage, and processing.
Governments have become increasingly involved in data sovereignty to protect their citizens’ privacy and data they create, as well as maintaining control of data for national security reasons.
Some countries require that data generated within their borders be stored and processed within their jurisdiction. Others mandate that certain types of data must remain within their jurisdiction for security and regulatory compliance.
What is indigenous data sovereignty?
Indigenous data sovereignty is a branch of sovereignty that focuses on the rights of Indigenous nations to manage the privacy of their information. It is most commonly used in reference to the U.S., Canada, and Australia.
Indigenous data sovereignty seeks to codify the rights of Indigenous people to own, control, access, and manage data related to their Nations. This can include data about Indigenous:
- Ancestral knowledge and cultural practices (e.g., images, language, song, stories, or oral histories)
- Communities
- Demographics information
- Education statistics
- Employment data
- Geological data
- Health information
- Land history and management
- Nations
- People
- Resources and environments
- Water sources
- Wildlife
Indigenous data sovereignty principles also direct that information management and data collection strategies related to indigenous people must align with the practices and culture of the Nation, community, and people represented in the data. One of the objectives of Indigenous data sovereignty is that Nation members become partners in data collection and related research rather than subjects.
Data sovereignty in the cloud
Due to the inconsistent rules about data sovereignty, data in the cloud can be tricky to manage within compliance requirements. Data stored and used by cloud services can be subject to the laws and regulations of more than one country and therefore be required to meet different thresholds for data security, data privacy, and data breach notification. Some countries enforce restrictions on data transmission outside of the originating country, and others prohibit the transfer of data to third parties for storage or processing.
To support data sovereignty in the cloud:
- Ensure consistent implementation processes
- Utilize systems that offer compliance with the rules and regulations for the location that has the most stringent data sovereignty requirements
- Pay close attention to the geolocation of backups and ensure that they meet requirements
- Remember that data sovereignty must be addressed holistically, not by a single department or person (e.g., Chief Information Officer, I.T., security, legal, procurement, risk management, or auditors)
- Take advantage of cloud providers’ data sovereignty expertise
Data sovereignty vs data localization
Data localization requires that data remains in the location where it was created. It is a special case of data sovereignty enforced by government entities.
With data localization, governments have the authority to govern and control data created within their borders, including regulating its distribution, processing, and storage. For instance, the European Union’s General Data Protection Regulation (GDPR) controls personal data related to a member country’s citizens, and organizations must store that information in local servers. In addition, GDPR limits, and in some cases prohibits, the transmission of that data.
Data sovereignty vs data residency
Like data localization, data residency falls under the data sovereignty umbrella. Once a location is selected for an organization’s data, it is subject to that location’s data sovereignty directives.
Therefore, data residency is often used to avoid restrictions related to data sovereignty; data is stored in a location with favorable regulations to avoid data sovereignty requirements, take advantage of favorable tax structures, or leverage improved performance capabilities.
Key considerations in data sovereignty
Below are several best practices that organizations can follow to ensure data sovereignty.
Conduct comprehensive data audits that document where data is stored, processed, and transmitted to ensure compliance with applicable data protection and privacy laws and regulations as well as data sovereignty requirements.
Create a data protection policy and a program to support it. This policy should detail the organization’s rules and processes for handling and storing sensitive data, including what data protections should be in place for data sovereignty and other regulations.
Evaluate data protection measures against best practices and compliance requirements to confirm that the most effective tools are in place to keep data from unauthorized access and comply with data sovereignty and other applicable laws and regulations.
Leverage data localization to store data within the jurisdiction where it was created or collected to ensure compliance with local laws and regulations, including data sovereignty.
Remember to consider data in transit and how data sovereignty rules impact it. Questions to ask when evaluating this include:
- How often is data transferred between countries?
- What countries is data being transferred to and from?
- What type of data is being transferred?
Stay up to date with changes to regulatory requirements as these are continuously evolving and new data sovereignty, data privacy, and data protection rules are being adopted worldwide.
Use cloud solutions offering data residency options to meet data sovereignty requirements by ensuring data is stored and processed in specific regions or jurisdictions.
Data sovereignty challenges
More than 100 countries have data sovereignty laws, each with different requirements. Challenges that data sovereignty presents include:
- Data sovereignty laws can inhibit cross-border data mobility.
- Geographically distributed cloud infrastructure and services complicate compliance with disparate data sovereignty rules.
- Laws are continuously evolving to address new situations.
- Operational costs can increase with the efforts required to meet data sovereignty requirements.
- Technological transparency for some data sovereignty laws requires disclosing how sensitive information is handled, which exposes security protocols.
Data sovereignty and digital identity
Data sovereignty can be effectively managed with the right programs and tools. Digital identity should be considered when developing plans to meet data sovereignty requirements.
As organizations have searched for the right mix of technology and process to address the challenges of data sovereignty, digital identities have surfaced as an important component. They are at the root of security and access controls and have turned up as the secret ingredient in successful data sovereignty plans.
