It’s only relatively recently that data sovereignty has become a hot topic, but there’s every chance it could soon reach boiling point.
Put simply, data sovereignty describes the idea that all data held by an organisation is bound by the laws of the host country. It sounds blindingly obvious, but the ubiquity of huge global companies, the use of offshore data processing and the rise of cloud computing has made matters much more complicated.
Personal information is one of the fundamental issues of our time. There are any number of “free” services on the web, paid for by the supply of personal details. Over the past decade, both governments and the public have realised how much confidential detail is being held by organisations. They want to know what’s being done with it and what controls are in place.
Background to GDPR
Any company operating in the EU needs to comply with GDPR (General Data Protection Regulation), the EU’s framework for all data. GDPR applies to all EU’s residents’ personal data, even if it is being processed outside European borders. That means US-based multinationals can’t handle the data in their domestic market and avoid GDPR.
The underlying principle of GDPR is to give greater protection to individuals. This protection takes many forms: guidelines govern how data is handled and stored, with painful fines (€20 million or 4% of global annual turnover) if these are breached. There are also strict requirements on businesses reporting breaches; they now have to be more proactive.
Furthermore, individuals have protection against damaging information being held – the so-called “right to be forgotten” principle. All this places additional demands on organisations.
The EU has also introduced the NIS Directive. It’s especially aimed at network and cloud providers. This ensures that operators take appropriate security measures on the networks that they operate. Unlike GDPR, this directive only applies to larger businesses.
The UK’s take on data sovereignty
The UK’s withdrawal from the EU has meant that the country’s continued support for GDPR has come into question. The government has announced that it plans to replace GDPR with its own data protection.
Plans remain vague but are thought to include a more flexible approach to data protection and a relaxing of the rules on reporting data breaches.
What data sovereignty means for organisations
The various regulations have had a dramatic effect on organisations. Many have implemented a chief data officer to pull together all the strands within an enterprise. That person then becomes responsible for compliance with GDPR.
It isn’t a simple task. The data officer must understand the legal issues (and if, there’s extensive use of cloud, knowledge of providers’ service level agreements) along with an excellent grasp of data storage and cybersecurity.
Finally, it will be someone who understands all the links within a business and how everything operates. Dealing with data sovereignty issues is quite a challenge for the modern business.
Enjoyed this Explainer? You might want to check out the following:
Nathalie Parent, Chief People Officer at Shift Technology: “HR is the conscience of an organisation”
For more than 30 years, Nathalie Parent has led global HR teams, working primarily with software companies. Today she’s Chief People Officer at Shift Technology
Amazon introduces new storage class that makes it cheaper to store rarely used files
Robot carers are real, but caregiving has bigger problems, writes Richard Trenholm in this FlashForward edition