Cloud migration and data sovereignty: no laughing matter

 When you picture "the cloud", what do you see? Is it a hyperscale data facility, your Dropbox account or just some giant, glowing filing cabinet in the sky? 

Whatever you envision, one thing is clear: the cloud is a worldwide phenomenon. It allows the large-scale sharing of data and apps between providers, enterprises and consumers over vast distances. The digital economy is a global economy: there's no two ways about it. 

Despite this, we don't have a global framework for data protection. Different countries apply different legal rights to "data subjects" (a data subject being anyone whose personal information is being handled by an organisation). 

In practice, this means some countries stop you from transmitting data from their country. Others still have privacy laws that stop you from disclosing personal data to third parties. In fact, more than 100 countries have their own data sovereignty laws – and they're all different. 

"That's OK," you might be thinking. "My company based in Finland will simply follow the data laws of the Finnish state." A startup in Helsinki isn't going to be following Malaysian contract law – so why do you need to concern yourself with other countries' legislative frameworks? 

The simple answer is that data stored in the cloud may fall under more than one country's laws, depending on where it's hosted and who's got control of it. 

This could be the case if, say, you're using a public cloud provider  and a local data centre – the so-called "hybrid cloud". Those two storage spaces could be subject to distinct local legal requirements. 

This can present company-wide challenges. IT, legal and other departments need to be proactively involved in deciding where to store data and stay on top of the laws that apply to it. 

Before we look at some key considerations with regard to data sovereignty, let's clear up some terms. What's the difference between data sovereignty, data localisation and data residency? 

A pocket dictionary of data sovereignty 

If you store personal data in Australia, you have to follow its 13 "privacy principles" (APP). This is an example of data sovereignty – a law governing the handling of personal data. Laws like these will set out how data should be processed.

Data localisation, by contrast, is a law stating that data about a nation's citizens and residents has to be processed within the country's borders. It's a way of controlling the flow of residents' data. Different nations have different motivations for doing so. 

Data residency is sometimes used interchangeably with data localisation – but it refers more specifically to a business's decision to store its data in a specific location. This will typically be because their location of choice has favourable regulations or tax structures. 

In practice, people muddle these three terms all the time. However, there are differences. 

All of them can affect your usage of the cloud, either by limiting where data can be processed, stored, accessed and shared, or by hiking up prices for storage in foreign countries. 

What do you need to do to ensure data sovereignty in the cloud? 

The best thing you can to do ensure data sovereignty is to partner with a cloud provider that's across the issue. This is the easiest way to minimise the risk of data sovereignty issues further down the line. 

All the major cloud providers now have data sovereignty tools and policies in place. AWS has its Digital Sovereignty Pledge, for example, and Google Cloud has its Digital Sovereignty Explorer: "a guided series of questions about [an] organisations' digital sovereignty requirements" designed to simplify the process. 

The difficulties tend to arise when you're storing data in different countries, each beholden to its own regulations and laws. It's a complex issue. One way to simplify it is by applying the principle that "too much is better than not enough".

In practice, this means applying the toughest of your host countries' regulations across all the others. That way, you've got a super-strong data sovereignty posture  and you don't have to follow unique guidelines in each location. 

(But remember, you need to check that there's no conflict between them – that will only come back to haunt you.) 

Finally, you need to stay on top of your backups. These, too, fall under data sovereignty laws. 

Does your company have good visibility into its backup processes? Do you know what's happening on-prem, in your dedicated cloud service or in the public cloud? Are you sure that everything meets the relevant data sovereignty requirements? 

If the answer is "no" – or even "maybe" – then you should take another look, perhaps with the help of a reputable cloud consultant. 

What is indigenous data sovereignty? 

Data sovereignty has a political dimension, too. In North America, for instance, efforts are being made to reflect tribal rights in data collection. Researchers at theUniversity of Arizonaare "addressing the need for tribes to drive their data agendas through practising Indigenous data sovereignty and governing their information". 

Similar efforts are underway for Aboriginal and Torres Strait Islander peoples and the Sámipeople of Northern and Eastern Europe, as well as other Indigenous peoples. 

Conclusion 

The flow of data across the world is a defining feature of our digital age. But it comes with restrictions, regulations and compliance frameworks. 

Making sure your enterprise is in line with data sovereignty isn't something to be taken lightly. The main thing is to consider it and implement it proactively. You may find, however, that you need some external help from a cloud consultant . If so, get in touch– we'd be happy to answer any questions you might have. 

Ascend Cloud Solutions is an Ireland-based cloud consultancy staffed by ex-VMware experts. We specialise in cloud migration, vSphere optimisation, HCX consulting and NSX-V to NSX-T migration.