What is data sovereignty?
Data sovereignty is that digital data is subject to the laws and governance of the country in which it is physically located. It is an important term for regulatory and data security purposes.
It refers specifically to the following questions about data:
- Who owns the data?
- Who is allowed to store the data?
- Where is the data stored?
- Where is the data processed?
- How can data be stored?
- How can data be used?
- How is data protected?
- What happens in the event of data misuse?
What is the difference between data sovereignty vs data residency?
Data sovereignty is subject to the laws and legal protections of the country in which it is physically stored whereas data residency is a matter where the geographical location of the data is being stored.
This is a subtle, but important distinction. You may well have your data stored in a sovereign location but it could well be processed outside of that sovereignty – whether this is by transferring the whole data set itself, a subset or metadata which could be used for other purposes.
Why is data sovereignty important?
Public sector organisations must follow two basic rules to guarantee data security:
- IT infrastructure must be secure, flexible, and up to date at all time
- Data sovereignty over customer, user and business data must be guaranteed
Organisations should always know how data is stored, processed, and transferred so customers can be assured their data is in safe hands and that the company is legally compliant. If a company neglects these, then this can have serious legal consequences. It’s all about your risk appetite – are you comfortable with the risks that have been identified?
Have you thought about where your data goes when you move it to the cloud?
Your data must still reside somewhere physically even if it’s stored in the “cloud”. It’s also important to realise that, in a lot of cases, your data is only separated from other’s by software only – particularly SaaS solutions.
The only way to find out where and how your data is being stored is to ask your current cloud provider.
Will my data stay in the UK, if my current provider is a US company with data centres in the UK?
If you have a US provider in your cloud supply chain which handles your data, The US Cloud and Patriot Acts could still affect you regardless of whether the data centre is in the UK.
The U.S government created Acts to provide their agencies (FBI, CIA, NSA etc.) with access to the organisational and personal data that may meet certain criteria. Key is that, set out by the act, if your cloud provider has any operations in the United States, you are vulnerable to U.S jurisdiction and data access.
This is particularly key for organisations that may hold personal, sensitive or high-level / critical infrastructure data.
To protect your UK data from being accessible via these acts, your organisation should review the risks and establish if a UK data sovereign cloud provider is needed to keep your data and metadata in the boarders of the UK.
I need a UK data sovereign cloud provider
Nine23 understands that all your data (and metadata) needs to be protected. We are a UK owned, managed, and operating cyber security sovereign cloud provider that will protect and keep your data in the UK.
Our services are underpinned by our fully owned and managed, secure UK data sovereign private cloud, Platform FLEX.
Contact us for more information.