Data Sovereignty and Cloud: How Do You Ensure Compliance?


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Friday, July 16, 2021

With different data rules emerging for different political and geographical regions, cloud data storage presents a major compliance issue for organizations.

Article 5 Minutes
Data Sovereignty and Cloud: How Do You Ensure Compliance?
  • Home
  • IT
  • Cloud
  • Data Sovereignty and Cloud: How Do You Ensure Compliance?

Data sovereignty is a key issue for CIOs and CISOs in an increasingly balkanized cloud environment. As the cloud becomes more nebulous, regulated organizations need to keep their data close to home, while increasing regulations mean all businesses need to ensure they know where their cloud data could end up.

Cloud data sovereignty asserts that your business data is subject to the laws where it’s stored, be that a nation, region or area. When moving data to the cloud as your business adopts new services, understanding those data sovereignty regulations and ensuring compliance are vital parts of IT’s role in following the many data legal frameworks.

Learn more: Building Better Security, Visibility and Compliance in the Cloud

Don't let cloud security threats go unnoticed

Equip your team with the right tools to improve visibility, reduce risk & respond to threats faster.


Every day a new report suggests that foreign governments and criminal organizations are trawling the cloud for business data that they can either leverage for competitive advantage or hold hostage for ransom. While that may sound far removed from your firm’s cloud operations and footprint, the scale of risk shouldn’t be underestimated.

Even if there’s no criminal intent, businesses must ensure their data remains protected and follows the rules for the regions it’s stored in. Just as a business traveler faces new rules and regulations when they go aboard, the same is increasingly true for corporate data.

Why is cloud data sovereignty important?

With so much data generated every day, it’s crucial that you understand data sovereignty in the cloud.

As different political blocs create various data rules for business and personal information, it creates a landscape of complexity for organizations. Take the EU’s GDPR, countries like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and even individual states or regions like California’s Consumer Privacy Act (CCPA).

If your company uses Google’s or Amazon’s cloud, there’s a chance that some data might end up stored on a server in one of those regions as a backup or operational resource. This is also the case if a business department adopts a new cloud service with servers that happen to be in Russia or an eastern European state, where different rules may apply and security requirements may not be equivalent to those in your home country. If a service claims they own the data stored on their server, your business could find itself in murky legal waters.

The three keys to cloud data sovereignty

Research from our recent cloud security survey found that approximately 50% of IT professionals cited data sovereignty/residency/control as a key concern.

1. Data sovereignty

Data sovereignty refers to the governmental laws, regulatory policies or other rules regarding data privacy for the home geographic location of a business. Usually, equivalent rules must be in place in a third-party provider’s country to protect data.

2. Data localization

These are the rules that state where business data can legally be located. This might be across the EU, but with Brexit in force, British firms could face a different set of rules if data equivalence and adequacy aren’t agreed upon between governments. Note the ongoing argument:

“These distinct approaches reflected the underlying positions: arguably, the UK wanted to unleash the potential of unrestricted personal data processing and escape the disciplinary effect of the GDPR and the CJEU, while the EU aimed to uphold a high level of data protection and minimize the risk that its privacy framework might be challenged...”

3. Data residency

This relates to the requirements where data must be stored in a specific location for regulatory reasons. This might be due to health/legal confidentiality matters, tax reasons and so on.

IFP state of cloud security in 2021 banner

How to ensure data sovereignty compliance in the cloud

Organizations need a policy that covers the existing state of its data obligations and can be expanded to cover future data usage as cloud adoption grows.

The company needs to understand which data is stored in the cloud, where that data is kept geographically speaking and where it could end up in the future. With different rules for various types of data, such as personal information, regulated files, financial records and business-critical information, organizations need to understand which person or part of the business created it and is responsible for it and what other rules or implications cloud usage of data creates.

For example, many businesses including Google and Facebook moved UK data from EU servers to US-located ones and changed terms and conditions to reflect this as a result of Brexit. That could change where data is stored, requiring updates to the compliance policy, and if a third-party provider uses a cloud service where data could travel beyond borders, that in theory could require a change of service or provider.

As of 2020, Amazon AWS and Microsoft had UK-based data centers, but as rules and locations change, organizations need to remain up to date with their compliance rules and checks. In more practical terms, businesses also need to establish that data backups, encryption tools and other essentials are all designed to protect data wherever it goes and meet regulations in whatever country the data may be stored.

In an ideal world, it would be best and simplest to locate all cloud data in your home nation across private clouds, but the realities of cloud services make this unlikely. Many companies have six or more cloud service providers, and data crosses many networks.

Therefore, data sovereignty compliance policies are required by all firms to ensure that they can successfully monitor providers and services, ensuring data is securely handled in transit and on servers. As cloud footprints expand, being able to manage this will only work if your business has a strong compliance system in place.

Further reading:


Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...