Factoring data sovereignty in your cloud strategy

July 05, 2022 06:00
Photo: Reuters

Data sovereignty has taken centre stage as more and more global companies move to the cloud and look to move data freely across regions. Data must be situated somewhere in physical data centres, which come under the jurisdiction of the country it is located in and therefore is subject to the laws of the land. These rules and regulations can significantly impact how data is accessed and moves across the organisation, which must be factored in when building a cloud strategy. Compliance is critical, as failure to adhere to data laws and regulations can have serious financial, reputational and even criminal ramifications.

Data sovereignty across Asia is disharmonious, making navigating the regulatory landscape a minefield for businesses. For instance, India embeds requirements related to data localisation under data privacy legislation, while China spreads its enforcement across cybersecurity, data security and personal information protection laws. Vietnam, likewise, sets out data localisation requirements under its cybersecurity bill, while Hong Kong has a long-standing policy against data localisation — although authorities are now beginning to relax the moratorium on data centres.

While the region is moving rapidly towards greater cloud adoption, data privacy and protection of personal data should be at the forefront for organisations if they intend to be data-driven in their decision-making.

In the days when on-site data centers were the norm, and any cloud offerings might have been offered by small, local companies, where data went was easy to track. But today, industry consolidation and globe-spanning cloud service providers have seen to it that the paths an data takes are more convoluted.

For example, a company based wholly in Hong Kong may want to utilise a set of tools that are available on Microsoft Azure or Amazon Web Services (AWS), both of which are American companies. Where is that data being routed? While it is being processed, is it subject to Hong Kong or US laws?

This is quite a conundrum as Hong Kong's Personal Data Protection Act (PDPA) regulates data privacy and the transfer of personal data by giving citizens the right to know how their private information is collected, used, and disclosed. The US, on the other hand, has no comprehensive national law.

The importance of data sovereignty

Factoring in data sovereignty issues at the start of strategy creation helps organisations unlock the full potential of the cloud. Data is gold, and as more countries realise the economic potential and associated security risks, they will have an increasing interest in keeping it in-country for processing and storage. While this might be good for that country, the creation of regional data silos does not get the most out of the cloud, and it makes optimising processes and business intelligence more difficult, if not impossible.

How to get out ahead of data sovereignty issues

Businesses have legal obligations to know where their data and customer data is stored and then take the necessary steps to comply with any applicable data localisation laws. Plus, they need to ensure that their cloud infrastructure offers tight security and has protocols to follow should they experience a data breach or if they need to destroy any data.

So how do organisations navigate the tricky waters of data sovereignty without slowing innovation? Well, it might help to come up with a data protection strategy from the start with the following considerations:

● Know the law: Consult legal and compliance departments and clarify all requirements.
● Find out what you are working with: Identify all cloud data assets, paying special attention to assets that may contain data that fall under the purview of data sovereignty.
● Identify regional variances: Different countries might have different encryption requirements for different types of data, especially as more and more countries are passing strict regulations on data storage and data transfer. Become familiar with these requirements from the outset. In Indonesia, for example, regulations stipulate that financial data cannot be stored outside the country without prior approval. In Hong Kong, meanwhile, any company sending data outside the country must take measures to ensure the owner of the overseas data centre is compliant with Hong Kong’s data protection laws.
● Understand data gravity : Data doesn’t literally create a gravitational pull, but smaller applications and other bodies of data seem to gather around large data masses. As data sets and applications associated with these masses continue to grow larger, it becomes increasingly difficult to move. This creates the data gravity problem. Make sure you have a plan in place to recognise the large and heavily used datasets and for these ensure they are architected to be secure and mobile.
● Plan for periodic reviews: Remaining compliant requires constant vigilance. Companies change, and processes evolve. Make sure to have a monitoring plan in place.
● Consider data security by design: Assume that the business will be impacted by upcoming legislation. Implement data security practices that will allow compliance with any new laws. While businesses may have to adapt to a new piece of legislation in the future, they stand a better chance of compliance if the right baseline principles are already in place.
● Architect for mobility: When possible, architect cloud solutions to allow for the mobility of data should one region establish legislation that has business impact.

Organisations need to make multiple considerations, but this is exacerbated by stretched IT departments and a worrying talent gap. Keeping up on data sovereignty adds more work on an already overloaded plate. However, these challenges are not a death knell for businesses in the region. Rather, they require innovative solutions that can efficiently manage deployments in the public and private cloud to work faster and smarter. As Asia progressively moves towards compliance with data privacy requirements to stay ahead of its competitors, data sovereignty laws should not limit the adoption of cloud-based services.

Instead of going it alone, organisations will be well poised by working with experienced partners to navigate the data sovereignty waters of the region. IT teams are then free to innovate around their core competencies and keep moving the needle forward, no matter where an organisation operates in.

-- Contact us at [email protected]


Senior Director, Data Services, Asia Pacific and Japan, Rackspace Technology