What is data sovereignty?
It’s only relatively recently that data sovereignty has become a hot topic, but there’s every chance it could soon reach boiling point.
Put simply, data sovereignty describes the idea that all data held by an organisation is bound by the laws of the host country. It sounds blindingly obvious, but the ubiquity of huge global companies, the use of offshore data processing and the rise of cloud computing has made matters much more complicated.
Individual protection
Personal information is one of the fundamental issues of our time. There are any number of “free” services on the web, paid for by the supply of personal details. Over the past decade, both governments and the public have realised how much confidential detail is being held by organisations. They want to know what’s being done with it and what controls are in place.
Background to GDPR
Any company operating in the EU needs to comply with GDPR (General Data Protection Regulation), the EU’s framework for all data. GDPR applies to all EU’s residents’ personal data, even if it is being processed outside European borders. That means US-based multinationals can’t handle the data in their domestic market and avoid GDPR.
The underlying principle of GDPR is to give greater protection to individuals. This protection takes many forms: guidelines govern how data is handled and stored, with painful fines (€20 million or 4% of global annual turnover) if these are breached. There are also strict requirements on businesses reporting breaches; they now have to be more proactive.
Furthermore, individuals have protection against damaging information being held – the so-called “right to be forgotten” principle. All this places additional demands on organisations.
The EU has also introduced the NIS Directive. It’s especially aimed at network and cloud providers. This ensures that operators take appropriate security measures on the networks that they operate. Unlike GDPR, this directive only applies to larger businesses.
The UK’s take on data sovereignty
The UK’s withdrawal from the EU has meant that the country’s continued support for GDPR has come into question. The government has announced that it plans to replace GDPR with its own data protection.
Plans remain vague but are thought to include a more flexible approach to data protection and a relaxing of the rules on reporting data breaches.
What data sovereignty means for organisations
The various regulations have had a dramatic effect on organisations. Many have implemented a chief data officer to pull together all the strands within an enterprise. That person then becomes responsible for compliance with GDPR.
It isn’t a simple task. The data officer must understand the legal issues (and if, there’s extensive use of cloud, knowledge of providers’ service level agreements) along with an excellent grasp of data storage and cybersecurity.
Finally, it will be someone who understands all the links within a business and how everything operates. Dealing with data sovereignty issues is quite a challenge for the modern business.
Related explainers
Enjoyed this Explainer? You might want to check out the following:
NEXT UP
Professor Mark Miodownik interview: “I think that it is an impressive achievement by humans that we didn’t give up and go, who cares”
We interview Professor Mark Miodownik to talk about this latest book, “It’s a Gas”, and why air is such an underrated resource
Crushing the $318 billion piracy menace: time to act before it’s too late
The digital piracy threat looms large – to combat it, disrupting pirate payment methods and boosting global enforcement is crucial.
A tech-driven approach to smarter business travel
This sponsored article explores how a tech-driven approach is transforming business travel and enriching the overall experience of travelling