Cloud Hosting

This is a guest post by Andy Ng, vice-president and managing director for Asia South and Pacific region at Veritas Technologies

The shift to public cloud adoption is alluring, driven by the promises of increased agility, improved operational efficiency, higher resiliency, and lower costs. However, as organisations transfer more workloads and data to the cloud, many have recognised the need to remain compliant with the plethora of data sovereignty regulations that exist across the globe.

So, what is data sovereignty and why do organisations need to care about it? In simple terms, data sovereignty is the concept that data is subject to the regulations of the country in which it was originally collected. Hence, if you collect data from individuals or organisations in multiple countries, you need to ensure that you process, manage, store, and dispose of that data in accordance with the laws of each country from which it was collected.

Data sovereignty is akin to international travel when we are back at home, we must obey local laws, but when we are travelling, we are required to obey the laws of the country we are located in. If we dont, we risk punishment. Similarly, data sovereignty implies that an enterprise that has data located in multiple countries must make sure they comply with the data privacy laws of each country or risk punishment.

For example, the European Unions General Data Protection Regulation (GDPR) stipulates that data collected within the EU can only be transferred to a third country for which the European Commission has determined that there is an adequate level of protection, or otherwise where appropriate safeguards have been put in place. This applies to both data controllers (those responsible for determining why and how data should be processed) and the data processors (those who process the data).

In Singapore, the local equivalent here is the Personal Data Protection Act (PDPA) the act stipulates that companies can retain personal data if it is still being used for purposes for which the data was collected. But if data is no longer needed for that particular purpose, it must be deleted. These are just two examples of over 100 different regulations governing data sovereignty globally.

The advent of cloud has forced data sovereignty to centre stage as its dispersed nature has broken down many of the traditional geopolitical barriers limiting the storage of data across borders. The transformation to multi-cloud where enterprises rely on not just one, but multiple cloud service providers delivers benefits to enterprises but also serves to increase the risk that data could extend knowingly or not into different regions with different data sovereignty laws.

Put simply, with the multi-cloud model, organisations dont know or cant control where their data is ultimately being stored or where replicated copies of the data are being pushed to. Even if organisations can stipulate the country where data is stored and processed, there may be a risk that the cloud service provider could be subject to regulations that would require them to provide third parties access to certain types of data. As such, organisations could be breaking their data sovereignty and privacy obligations without even knowing it and the impact of failing to adhere to data sovereignty regulations can be severe.

Under the GDPR, for example, the maximum fine for non-compliance is $20m or 4% of global annual turnover, whichever is larger. Just look at some of theGDPR-related fines companies have faced in the past two years. In Singapore, the financial penalty cap for breaches under the PDPA has increased from S$1m, to 10% of the organisations annual turnover in Singapore for organisations with annual local turnover exceeding S$10m, whichever is higher.

So, how should organisations address the challenges of data sovereignty? At the highest level, there are four basic steps:

In a nutshell, data sovereignty should be a consideration for any organisation that is storing or processing data in the cloud. Making sure your data, including your backup data, is compliant wherever it may reside is your responsibility. Never just assume someone else is doing that for you. With careful research, clear policies, and the right technical controls, you can build a compliance model consistent with the data sovereignty regulations in all the jurisdictions in which you operate.

Go here to see the original:
Tackling the challenges of data sovereignty in a multi-cloud world - ComputerWeekly.com