What is data sovereignty?
It’s only relatively recently that data sovereignty has become a hot topic, but there’s every chance it could soon reach boiling point.
Put simply, data sovereignty describes the idea that all data held by an organisation is bound by the laws of the host country. It sounds blindingly obvious, but the ubiquity of huge global companies, the use of offshore data processing and the rise of cloud computing has made matters much more complicated.
Individual protection
Personal information is one of the fundamental issues of our time. There are any number of “free” services on the web, paid for by the supply of personal details. Over the past decade, both governments and the public have realised how much confidential detail is being held by organisations. They want to know what’s being done with it and what controls are in place.
Background to GDPR
Any company operating in the EU needs to comply with GDPR (General Data Protection Regulation), the EU’s framework for all data. GDPR applies to all EU’s residents’ personal data, even if it is being processed outside European borders. That means US-based multinationals can’t handle the data in their domestic market and avoid GDPR.
The underlying principle of GDPR is to give greater protection to individuals. This protection takes many forms: guidelines govern how data is handled and stored, with painful fines (€20 million or 4% of global annual turnover) if these are breached. There are also strict requirements on businesses reporting breaches; they now have to be more proactive.
Furthermore, individuals have protection against damaging information being held – the so-called “right to be forgotten” principle. All this places additional demands on organisations.
The EU has also introduced the NIS Directive. It’s especially aimed at network and cloud providers. This ensures that operators take appropriate security measures on the networks that they operate. Unlike GDPR, this directive only applies to larger businesses.
The UK’s take on data sovereignty
The UK’s withdrawal from the EU has meant that the country’s continued support for GDPR has come into question. The government has announced that it plans to replace GDPR with its own data protection.
Plans remain vague but are thought to include a more flexible approach to data protection and a relaxing of the rules on reporting data breaches.
What data sovereignty means for organisations
The various regulations have had a dramatic effect on organisations. Many have implemented a chief data officer to pull together all the strands within an enterprise. That person then becomes responsible for compliance with GDPR.
It isn’t a simple task. The data officer must understand the legal issues (and if, there’s extensive use of cloud, knowledge of providers’ service level agreements) along with an excellent grasp of data storage and cybersecurity.
Finally, it will be someone who understands all the links within a business and how everything operates. Dealing with data sovereignty issues is quite a challenge for the modern business.
Related explainers
Enjoyed this Explainer? You might want to check out the following:
NEXT UP
The biggest challenges to the video streaming industry – and how to fix them
Andrew Bunten outlines some of the biggest challenges faced by the video streaming sector, as well as some ideas on how to address them.
Jeff Smith SVP of Strategic Partnerships at Skipify: “Traditional finance and banking can learn to embrace disruptors as partners and enablers instead of competitors and threats”
Jeff Smith is the SVP of Strategic Partnerships at Skipify, a San Francisco-based fintech company on a mission to redefine the checkout experience
Optus appoints Stephen Rue as new CEO
Optus appoints Stephen Rue as the new permanent CEO as well as a new governance structure for him to operate under.