Every search, purchase, download, and e-mail we do online is building a digital representation of our self. Our data is stored on a server somewhere locally or internationally which brings up the question of who owns the data – is it us, the individual, or the company collecting it? What laws should it be compliant with?
According to the World Bank, by 2022, global internet traffic is expected to have a 1,000-fold increase, reaching 150,000 GB of traffic per second. Some of that data will be governed by regulations specific to the location it originated from. Hence, if you are a business whose data crosses borders via the internet, you must be able to ensure that you comply with these regulations. Otherwise, fines and other penalties may arise.
Given the vast amounts of data that are being used and produced at present, exploring the way that various states assert control over data on behalf of their citizens is necessary for both innovation and national security. Known as data sovereignty, this simply means that data is subject to the laws and regulations of the location where the data is collected and processed.
Defining data sovereignty
Data sovereignty is a country-specific requirement wherein the data must remain within the jurisdiction where it is generated. At its core, data sovereignty is about protecting private and confidential data. This ensures that the data would remain under the control of its owner and the country of origin.
Among the most popular regulation related to data sovereignty is GDPR, which took effect in 2018. In order to be GDPR compliant, organizations must implement and maintain security procedures to protect EU residents’ private data from unauthorized access. In addition, several other data collection and protection measures are taken into consideration.
Bear in mind that data sovereignty is more of a legal issue than a technical one. Laws vary from country to country, but the most common governance you’ll see is restricting some types of data to leave the country at any time. Regulations on data encryption and data handling are also implemented.
The use of public clouds that have regions and points of presence (PoPs) around the world complicates how these rules are being followed. Misconfigurations and lack of understanding lead to penalties, impacts on reputations, and, in some cases, prohibits the overall use of cloud computing.
Data is becoming one of the most leveraged assets in today’s world. Thus, government efforts are enforced to prevent their citizens’ data from falling into the wrong hands. How is this being done? By compelling businesses to be mindful of how they transfer personal information beyond their country’s borders. Citing as an example, in the UAE, data sovereignty laws, regulations and standards dictate that all sensitive data – whether it be personal, government, financial, or medical – should not be hosted elsewhere.
With robust data sovereignty measures, if the business fails or refuses to comply, the host country’s government can impose a fine or force the company to align with the necessary provisions. As companies navigate with respect to geopolitical landscapes, data sovereignty has grown into an important topic – especially with the ongoing digital transformation involving the cloud.
Cloud affects sovereign data
Data sovereignty has been put into the spotlight with the rise of cloud computing. Countries have eventually passed laws to regulate and control data storage and transfers. Data requirements used to be easy to maneuver in traditional on-premises computing when data was stored in data centers owned by local companies. On the contrary, data in the cloud can be stored and accessed across borders, giving companies additional responsibility to pay close attention to how they are managing their data in different locations.
It is a must to address data sovereignty as SaaS, cloud, and hosted services are being adopted more rapidly than ever. In a typical multi-cloud architecture, there can be two or more public clouds and potentially additional private clouds. With this in mind, to manage data orchestration, the company must stipulate storage locations.
Because of data sovereignty issues, a multi-cloud architecture can be at risk of violating multiple nations’ data sovereignty regulations. Carefully choosing a cloud vendor should be done because running applications and services with scattered data centers can be subject under strict sovereignty laws.
The widespread adoption of cloud services, as well as new approaches to data storage, have broken down conventional barriers. In response, many countries have regulated new compliance requirements that mandate customer data to be kept within the country the customer resides. Verifying that data exists only at allowed locations can be difficult, requiring the cloud customer to trust that their cloud provider is completely honest and open about where their servers are hosted. This is in adherence to signed service level agreements (SLAs).
One approach to maintain data sovereignty is encryption. By encrypting data and hosting their own encryption keys, organizations can ensure data protection, regardless of where it is shared or stored. Because of that, end-to-end encryption is achieved across the entire data life cycle.
Thus, protecting private data is a smart business decision as companies gain the confidence to select the global cloud partners that best meet their needs while maintaining complete ownership over their data. After identifying a cloud provider and the region to be covered, the complexity of meeting data sovereignty rules is reduced to maintaining policies that align with that specific location.
In a nutshell, as an operating business, you must know where your data is stored and then take the necessary steps to ensure that you comply with the legislation that governs that region. Moreover, you also need to ensure that your cloud provider offers tight security protocols to follow in case of a data breach, or in case you need to retract any data.
In Europe, enterprise cloud decisions are heavily influenced by authorities. As legal environments evolve and data protection importance grows, the idea of a sovereign cloud then emerges and becomes highly relevant. Among those who are working towards this are Deutsche Telekom, Orange, and TIM which are all members of the Gaia-X federated data infrastructure initiative. This initiative aims to create a framework for interoperable cloud services that meet European requirements and reduce dependency on US hyperscalers.
Outlook in the Middle East
Governments in the Middle East are actively tackling unprecedented political, social, and technological changes. Alongside pushing for a sovereign data governance approach, Saudi Arabia, the UAE, and Egypt — the biggest regional economies — have been implementing massive digital transformation strategies. The flipside? Increased exposure to cyberattacks.
Looking ahead, companies based in the region need to acknowledge the importance of a comprehensive approach as they aim to establish a cloud-risk management framework. Realizing the importance of data sovereignty when it comes to keeping citizens' data within national boundaries, local governments began issuing new deals of laws and regulations.
In February 2020, Egypt approved the Personal Data Protection Law No. 151. This law prohibits any personal data transfer to recipients located outside the Arab country. An exception to this can be granted with the permission of the Egyptian Data Protection Center. Also in 2020, the minimum cybersecurity requirements for cloud computing were released by the Saudi National Cybersecurity Authority (NCA). These are stated under the Cloud Cybersecurity Controls (CCC) document.
While in the UAE, data protection laws similar to the GDPR have been carried out in the Dubai International Financial Center (DIFC) and Abu Dhabi Global Market (ADGM) free zones. Challenges surrounding cyberspace and data issues in the Gulf region are set to intensify, putting pressure on advanced technologies and digital applications to provide services to citizens and protect their economies as a digitally powered future unfolds.
