What Is Data Sovereignty?
Data sovereignty refers to the concept that data is subject to the laws and governance of the country and/or region in which it is collected, processed and stored.
As technology has become more globally connected, the issue of which laws apply to digital data has given rise to rules and regulations around data sovereignty, including data residency and data localization.
Personal data belonging to around 65% of the world’s population is now covered by privacy regulations, with an increasing percentage of internet users growing concerned about privacy every year. As such, compliance with data sovereignty is not just a legal and/or regulatory matter for businesses, but a reputational one as well.
Data Residency
Data residency is about where data is stored – in particular, where it resides in both geographic and physical terms.
In geographic terms, regulatory bodies may have specific requirements around data residency, and organizations must act on those requirements in order to meet their compliance obligations.
In physical terms, data residency also refers to the proximity of the data relative to the device that processes it. For example, consider that a computer is more likely to run cloud data efficiently when it is positioned closely to the data center that hosts the relevant information.
Data Localization
Data localization refers to the act of meeting data residency requirements, for example by localizing data to ensure that is it processed within its country of origin. Some highly regulated industries require this. Others present it as best practice guidance, with additional requirements placed on organizations that process data in other countries or regions.
This often drives organizations to localize their data for an easier life, though there may not be a legal requirement for them to do so.
How Does Data Sovereignty Work?
Data sovereignty works based on the idea that the location in which data is collected determines the laws and governance that apply to it. For example, if a company collects data in France, it must comply with relevant data legislation in France, regardless of where the company itself is based.
If the same company also collects data in Canada, it must comply with Canadian data sovereignty laws as well. This means that businesses that operate across international borders in terms of data collection and processing face higher complexities in terms of how they deal with that data.
Businesses that are obliged to comply with Know Your Customer (KYC) and Know Your Business (KYB) requirements must pay careful attention to data sovereignty laws, as are those in the healthcare and financial industries, along with many others.
The History of Data Sovereignty
Data sovereignty has evolved significantly over the past 30 or so years, especially to keep pace with the rate at which technology has expanded. The first major piece of legislation in relation to data sovereignty, beyond pre-existing data privacy and protection laws, was the European Union’s Data Protection Directive in 1995.
This directive aimed to ensure that companies holding data belonging to EU citizens only stored and processed that data within the EU.
Meanwhile, over in the US, the passing of the Patriot Act delivered a different take on personal data sovereignty and privacy. Under the act, the US government had the power to access any data that was physically stored within the country’s borders.
Over time, increasing concerns around data privacy, security and sovereignty led to additional legislation. In the US, the Snowden revelations in 2013 shed new light on the issue when they revealed that US agencies had been illegally collecting and monitoring sensitive personal data.
Today, the data sovereignty landscape is complex, with some of the key pieces of legislation that touch on data sovereignty as follows:
- The General Data Protection Regulation (GDPR) in the EU
- The Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act in the US
- The Personal Information Protection and Electronic Documents Act in Canada
- The United Kingdom General Data Protection Regulation in the UK
- The Lei Geral de Proteçao de Dados Pessoais in Brazil
Various pieces of state legislation in the US, such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act, also have implications in terms of data sovereignty.
Stay compliant with the laws in your industry while learning more about your customers with data enrichment by SEON.
Find Out More
Data Sovereignty and the EU GDPR
The GDPR applies to all EU member states and all organizations operating within those territories, as well as any organization that controls data that belongs to an EU resident. Its goal is to protect the data privacy of each and every one of those residents.
Data covered by the GDPR can only be transferred out of the EU if the non-EU country has similar data protection laws in place. This adds a data localization element to the GDPR’s data protection and privacy requirements.
Under the GDPR, individuals have the right to:
- be forgotten
- request all data that companies hold about them
- correct data that companies hold about them
- know if their data has been exposed
Organizations must only collect data with a clear purpose, process it in line with six lawful bases, and report any breaches within 72 hours.
GDPR legislation is seen as particularly important in relation to data sovereignty, as it has served as inspiration for many similar laws around the world.
Why Is Data Sovereignty Important?
From a business perspective, data sovereignty is important as organizations must comply with the requirements of the countries and regions in which they operate. This means that businesses need to be aware of local requirements and put policies, processes, and infrastructure in place in order to meet those requirements.
Not doing so can have major implications, such as the facing of fines, loss of regulatory approval, legal action, reputational damage, among many other penalties.
Data sovereignty is also important from an ethical perspective as companies should have a duty of care that sees their respect for their customers’ personal data and the privacy and sensitivity that surrounds it.
What Challenges Surround Data Sovereignty?
There are plenty of challenges around data sovereignty. Some of the top headaches for businesses involve such matters as Software as a Service (SaaS), changing laws, operational costs, data mobility, and risk of violations.
Let’s take a look at each one in closer detail.
Type | Explanation |
Software as a Service (SaaS) and cloud infrastructure | SaaS and Cloud services often mean that organizations can reduce their costs by requiring less in-house infrastructure. However, they can also throw up challenges in terms of data sovereignty, depending on where the provider is based and where and how it will be collecting, storing, and processing the given data. |
changing laws and regulations | Changing legal frameworks and geopolitical arrangements can impact data sovereignty requirements. The UK’s decision to leave the European Union, for example, meant that the European Commission had to adopt an adequacy decision regarding the post-Brexit data protection regime in the UK under the terms of the GDPR. |
operational costs | Safeguarding and localizing data is not without cost. Organizations must invest in: Ensuring their teams have the right knowledge around data sovereignty and data processing, creating adequate processes to comply with data sovereignty regulations and monitor compliance on an ongoing basis, maintaining an appropriate infrastructure to ensure data is stored and processed in the relevant location(s), drawing up clear policies on how they collect, process and store data, to demonstrate regulatory compliance. |
data mobility | Data sovereignty regulations can impact how businesses move their data between territories, including encryption and security arrangements and locations that are not permitted. |
risk of violations | Data sovereignty violations can result in significant financial and legal penalties for organizations, as well as loss of reputation and business. |
Data Sovereignty Best Practices
Data sovereignty legislation may differ between countries and regions, but there are some best practices that apply to all organizations. These include:
- assigning sufficient time and resources to understanding all applicable data sovereignty obligations
- ensuring that processes are in place not only to comply with data sovereignty but also to monitor compliance and rapidly flag up any breaches or potential breaches
- understanding the purpose of all data collection and ensuring that data collected is the minimum amount required to achieve the given company’s purpose
- implementing robust access control as well as monitoring such control
- only holding data for the amount of time it is needed
- ensuring that all SaaS and cloud services comply with relevant legislation, including any data residency and data localization requirements
Though SEON’s primary function is detecting and preventing fraud, it also provides a secure environment from which to monitor data as it flows into your system. In compliance with GDPR and other data mandates, it does not store data itself, and gives distinct access controls to administrators. Though not a standalone data management option, SEON is easily stacked with big data solutions to get the most out of your valuable customer data while also staying on the right side of data sovereignty laws.