What is data sovereignty?

It’s only relatively recently that data sovereignty has become a hot topic, but there’s every chance it could soon reach boiling point.

Put simply, data sovereignty describes the idea that all data held by an organisation is bound by the laws of the host country. It sounds blindingly obvious, but the ubiquity of huge global companies, the use of offshore data processing and the rise of cloud computing has made matters much more complicated.

Individual protection

Personal information is one of the fundamental issues of our time. There are any number of  “free” services on the web, paid for by the supply of personal details. Over the past decade, both governments and the public have realised how much confidential detail is being held by organisations. They want to know what’s being done with it and what controls are in place.

Background to GDPR

Any company operating in the EU needs to comply with GDPR (General Data Protection Regulation), the EU’s framework for all data. GDPR applies to all EU’s residents’ personal data, even if it is being processed outside European borders. That means US-based multinationals can’t handle the data in their domestic market and avoid GDPR.

The underlying principle of GDPR is to give greater protection to individuals. This protection takes many forms: guidelines govern how data is handled and stored, with painful fines (€20 million or 4% of global annual turnover) if these are breached. There are also strict requirements on businesses reporting breaches; they now have to be more proactive.

Furthermore, individuals have protection against damaging information being held – the so-called “right to be forgotten” principle. All this places additional demands on organisations.

The EU has also introduced the NIS Directive. It’s especially aimed at network and cloud providers. This ensures that operators take appropriate security measures on the networks that they operate. Unlike GDPR, this directive only applies to larger businesses.

The UK’s take on data sovereignty

The UK’s withdrawal from the EU has meant that the country’s continued support for GDPR has come into question. The government has announced that it plans to replace GDPR with its own data protection. 

Plans remain vague but are thought to include a more flexible approach to data protection and a relaxing of the rules on reporting data breaches.

What data sovereignty means for organisations

The various regulations have had a dramatic effect on organisations. Many have implemented a chief data officer to pull together all the strands within an enterprise. That person then becomes responsible for compliance with GDPR.

It isn’t a simple task. The data officer must understand the legal issues (and if, there’s extensive use of cloud, knowledge of providers’ service level agreements) along with an excellent grasp of data storage and cybersecurity. 

Finally, it will be someone who understands all the links within a business and how everything operates.  Dealing with data sovereignty issues is quite a challenge for the modern business.

Enjoyed this Explainer? You might want to check out the following:

Maxwell Cooter
Maxwell Cooter

Although Max trained to be a programmer, he quickly found his vocation in journalism. He was the founder editor of Cloud Pro, the UK's first dedicated cloud publication and has written for dozens of titles, including The Guardian and The Daily Telegraph. At TechFinitive he writes about cloud computing and data.