The issue of data sovereignty has developed increasing relevance as the world becomes increasingly connected through the internet (and other networks). Here is a brief guide to what you need to know about it.
Data sovereignty is a legal concept analogous to jurisdiction. It is based on the principle that digital data is subject to real-world laws and governance structures.
All data will be covered by the laws and governance structures in place at the point where it originated. If data is permitted to be moved out of its originating location, then it will also be subject to the laws in the place(s) to and through which it is moved. Some data may be subject to the laws of a given country even if it never enters that country.
The legal landscape in the USA can be roughly categorized into federal-level, state-level, and other laws.
Federal-level laws apply to all states and, where applicable, internationally. At present, they are heavily focused on ensuring data privacy. For the most part, however, this does not extend to placing restrictions on where data can be held. There are some exceptions to this but they are very niche (e.g. ITAR (International Traffic in Arms Regulations).
Additionally, The USA PATRIOT Act grants authorities broad powers to access records and information. Per the terms of the act, it applies even when the data has never touched the United States.
At the time of writing, 13 US states have privacy laws in place that place restrictions on how their residents’ data can be used. More have acts in the pipeline.
Of these, the first, and arguably, still the best known is the California Consumer Privacy Act (CCPA). According to the terms of this act, it applies to any company that does business with any California resident under any circumstances.
At present, the only other law with meaningful application in the USA is the General Data Protection Regulation. This was introduced by the EU in 2018. It still applies in the UK despite its withdrawal from the EU.
The reason GDPR applies in the USA is that the EU has an explicit agreement with the US (federal) government) which permits its enforcement. This was a condition of US-based organizations being permitted to touch data belonging to EU (and UK) data subjects.
The good news for organizations is that complying with data sovereignty requirements can actually be much simpler than it may initially look. The core of all of these programs is data protection. This means that, fundamentally, they all cover much the same ground in much the same way. The only real differences are in the enforcement agencies and the penalties.
Here is a five-step process that will guide you through data-sovereignty issues.
Identify which laws apply to the data you handle and what their specific requirements are. If more than one set of laws applies to your data, comply with the most stringent requirement. If it is unclear which laws apply or if laws appear to conflict, seek legal advice on that specific issue.
You need to know what you have, where it is, and who owns it (legally and functionally). You also need to know why you have it. If you cannot identify why you have specific data, then consider deleting it (or at least archiving it). This could be a good opportunity to do a thorough cleanse of the data you hold.
Fundamentally, data protection requires organizations to understand what they are collecting, from whom, how, and why. They should ensure that they obtain any necessary consents and keep the data for only as long as necessary.
While an organization holds data, access to it should be limited to those who actively need it. Moreover, accesses should only have the level of permission necessary for the user to perform their task. All data should have an internal owner. That owner should ensure that it is protected from unauthorized access.
Notwithstanding, there should be measures in place to handle data security breaches. These should include a process for notifying data subjects. Organizations should also be able to locate a particular data subject’s data upon request.
Both in-house staff and vendors will need to be clear on what is expected of them. In the case of vendors, this may require contracts to be updated.
Nothing to do with either the law or security is ever “one and done”. It’s vital that organizations implement effective robust continuous monitoring to ensure ongoing compliance. This includes monitoring for changes in the law.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.
