Data sovereignty should be fully explored by businesses when decisions are being made to store data offsite or in another jurisdiction, as part of its business continuity plan, information technology experts advise.
Data sovereignty means that data is subject to the laws and regulations of the geographic location where that data is collected and processed.
“The issue of data sovereignty is always a hot topic when discussing cloud storage facilities. This is, therefore, a consideration when governments and businesses are seeking facilities to host their data. Typically, wherever a cloud facility is physically located, it has to abide by the laws of that nation. These laws may be in place to protect one’s data from being wrongfully accessed, modified or shared, but there may also be laws that grant that nation’s government access to the data,” explained Roldane Henry, infrastructure services lead at MC Systems, the technology member company of The Jamaica National Group.
He added that having the slightest doubt about the safety of ones data is enough to trigger paranoia among governments and businesses alike.
“The upside to the use of cloud-storage facilities to replicate data is the reassurance that it is stored on an infrastructure that is more resilient than what a typical business would possess,” he said.
He noted that businesses may seek out cloud storage providers, such as Microsoft Azure or Amazon Web Services (AWS) that can easily integrate with their backup software. “In a nutshell, no matter where a business resides, these storage facilities are available for use (at a subscription cost) further blurring the line between cloud and on-premise storage,” he said.
Henry Osborne, technical product manager at The Jamaica National Group, noted that from a regulatory and legal perspective, there exists the issue of cross-border data access and data localisation (data-residency requirements that confine data within a country’s borders). However, he suggested that businesses use data to create value, and many can only maximise that value when data can flow freely across borders; yet a growing number of countries are enacting barriers that make it more expensive and time consuming, if not illegal, to transfer data overseas.
“Data localisation can be explicitly required by law or is the de facto result of a culmination of other restrictive policies that make it unfeasible to transfer data, such as requiring companies to store a copy of the data locally, requiring companies to process data locally, and mandating individual or government consent for data transfers,” he said.
Although some countries enact blanket bans on data transfers, many are sector specific, covering personal, health, accounting, tax, gambling, financial, mapping, government, telecommunications, e-commerce, and online publishing data. Others target specific processes or services, such as online publishing, online gambling, financial transaction processing, and apps that provide services over the internet (thereby bypassing traditional distribution).
Data Sovereignty and GDPR
Professor Sean Thorpe, head of School of Computing and Information Technology at the University of Technology, said that since May 2018, the protection of data is enforceable under the General Data Protection Regulation (GDPR) in all countries of the European Union (EU).
“The reach of the GDPR extends internationally, and in particular in countries like Jamaica where the Data Protection Act affords for such reciprocal treatment. So it is for reasons like these that the big technology (Big Tech) companies have been under the heavy microscope on the rights and use of citizens’ data,” he explained.
He said, for example, in the EU, if there is a request by citizens to have their data deleted by a data provider, this must be observed, as under the GDPR, individuals are required to give informed consent about how their data gets processed regardless of where that EU citizen is within the world.
“The trans-border nature of the data access transfers the power to the rights of the citizen with respect of how this data is to be treated and very important to note. In jurisdictions where you have no data sovereignty, you may be treading a little bit more precariously, and as such, storage and rights must be explicitly spelled out under a Non-disclosure Agreement (NDA), as well as specific Service Level Agreements (SLAs),” he said.
The head of school of computing at UTech posited that there is an opportunity to have greater participation within both GDPR and non-GDPR corridors through special agreements such as NDAs and SLAs on a case by case basis. This he said will expand the footprint of where and how data is stored outside of a country.
“The subject of this sovereignty is still a big question and unanswered in many regards. In essence, in my opinion, sometimes we end up giving up the rights to such access, and to realise that data today has no one [address/ location]. The footprint of our data literally sits on millions of servers located all across the world,” he said.
“One could say this has broken the silos of privacy and presents a [completely new] privacy paradox. Our Gmail, Zoom (accounts), among other streamed personal data services, is all sitting in many private and public clouds as we speak, and hence we do not know who accesses that data. Now where data is both personal and sensitive, how you use these highly valuable public and private cloud storage services need to be measured,” he added.
We are here to support you as your technology consultant. Let’s start the conversation. Connect with us at solutions@mcsystems.com | 876 552-8124 | 876 564-2231.