Data Sovereignty and GDPR [Understanding Data Security]
Data sovereignty can cause confusion for many security professionals, so we are going to cover what it is and how it relates to your company’s data security.
Why is data sovereignty important? Data sovereignty is important because it regulates how data should be governed and secured, specific to the country where it was collected and not where the collector resides.
What Is Data Sovereignty?
Data sovereignty is the requirement that information is subject to the location’s regulations from where it was collected and processed.
Organizations face several problems in interpreting that requirement. Sovereignty is a state-specific regulation requiring that information collected and processed in a country must remain within the boundaries of that country and must adhere to the laws of that country.
This can provide complex, interconnected, and conflicting laws that companies must follow. For example, a country collecting information in the EU might use Microsoft Azure or Google cloud servers. Both are U.S. companies governed by U.S. law, which means that they could be subject to legal requests from the government to disclose, a violation of EU data privacy laws.
In a business world where international commerce and cloud storage are the norms, these types of situations can put organizations in incredibly challenging conditions.
Additionally, some terminology is often conflated with sovereignty:
- Data residency: Residency often refers to instances where a business or other organization stores information in a specific geographical location to find favorable regulatory compliance This could include shifting locations to show that most of their business operations are in another country for financial reasons.
- Data localization: In the strictest of terms, localization refers to the requirement that data created in a specific location remains in that location. This can include compliance regulations, such as the European Union’s General Data Protection Regulation (GDPR), over personal data related to a country’s citizens that require organizations to keep that information in local servers and limit or forbid transmission outside of national borders.
- Indigenous data sovereignty: A branch of sovereignty, indigenous sovereignty applies specifically to the rights of indigenous nations in the United States, Canada, and Australia (among other countries) to manage the privacy of their own information.
Landmark Cases Establishing Data Sovereignty
The emergence of sovereignty as a legal concept on a global scale can be traced to the PRISM program, an observation and clandestine information collection program operated by the National Security Agency that was exposed by Edward Snowden.
PRISM and the U.S. PATRIOT Act
The National Security Administration (NSA) observes and collects information, including texts, images, movies, phone calls, social network details, and video calls across various platforms and providers. Outside of its dubious legality, the U.S. was also collecting information from foreign nationals caught in the net.
Alongside the PRISM program, the U.S. PATRIOT Act gave the U.S. government the right to collect data from any server located physically within U.S. borders, which often included foreign information governed by different types of privacy and security laws.
Microsoft v. The United States
While this case didn’t set any standards for data sovereignty into law, it did start the conversation. Another case, Microsoft Corp v. The United States served as a landmark for the concept.
In 2013, the U.S. Department of Justice sought to collect information from Microsoft servers concerning drug trafficking cases under investigation. Microsoft refused because the information was stored in a center in Ireland, outside (according to Microsoft) U.S. jurisdiction and subject to Irish data laws.
Microsoft lost the initial legal challenge but appealed to the 2nd U.S. Circuit Court of Appeals, which disagreed with the findings and sent the case to the U.S. Supreme Court, during which Congress passed the CLOUD Act. This law stated, essentially, that a U.S. company must turn over information related to law enforcement regardless of where that information is stored. However, it added specific requirements for protecting the information of foreign nationals whose information exists in servers operated by U.S. companies in non-U.S. jurisdictions, specifically in cases where the U.S. has data-sharing laws in place with these countries.
The CLOUD Act also set standards for foreign countries seeking access to information housed in the U.S., pending oversight by U.S. courts and demonstration of legal and evidentiary merit.
How Does Data Sovereignty Relate to the GDPR?
The GDPR was enacted in participating EU countries in 2018, and set strict standards for protecting privacy and ownership of consumer information. These laws also covered sovereignty.
Under the GDPR, any information collected from citizens of the EU must reside in servers located in EU jurisdictions or in countries with a similar scope and rigor in their protection laws. This way, the information will fall under the strict security laws of the EU and citizens will remain under that protection.
Specifically, this law applies to both processors and controllers alike, which means that both companies collecting information and those offering services for data collection fall under this law.
What does that mean for providers and businesses outside of the EU? If you operate in the EU or serve businesses by collecting information from EU citizens, you fall under the GDPR. Violation of this regulation could result in fines of up to 4% of your total global annual revenue.
How To Approach Data Sovereignty With Cloud Service Providers
Needless to say, if you are working with an international customer base, or operating in foreign countries, then data sovereignty is an important aspect of your business.
With that in mind, there are several factors your organization should consider:
- Locations of servers: There should be clear and agreed-upon locations for storage and processing. Some cloud providers will attempt to divide cloud coverage by “region” to maintain flexibility, so the more specific these providers can be, the better.
- Local jurisdiction and privacy laws: Your organization should have a good understanding of the governing privacy and laws applicable to that information. These laws could impact how that information is governed going into or coming out of that country, and if those types of file transfers are even legal.
- Map data ownership and consumer rights: Alongside privacy and security laws, you should have a good understanding of consumer rights. For example, information protected by the GDPR gives ownership to the consumer, which means that these individuals can demand their information be provided to them or deleted. Regulations like the GDPR—or more recently the California Consumer Privacy Act (CCPA)—place strict limits on how that information can be processed and used.
- Determine information governance tools: Any cloud or service provider should also provide critical information governance features like comprehensive audit logs, retention, remediation tools, and advanced analytics.
Compliant and Secure Data Management With Kiteworks
The Kiteworks platform provides technology- and industry-agnostic security controls that meet the governance, compliance, and security requirements of almost any application. Features like immutable logs, secure file transfer, and business analytics support businesses juggling complex regulations while maintaining enterprise operations.
To support such operations, the Kiteworks platform has the following features:
- Security and compliance: Kiteworks utilizes AES-256 encryption for data at rest and TLS 1.2+ for data in transit. The platform’s hardened virtual appliance, granular controls, authentication and other security stack integrations, and comprehensive logging and auditing enable organizations to protect sensitive data while ensuring efficient governance and compliance.
- Secure file sharing: Kiteworks supports secure file sharing for third party risk management (TPRM), enabling organizations to share confidential data, such as personally identifiable information (PII), protected health information (PHI), and intellectual property (IP), with third parties while remaining in compliance with industry and government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Processing Standards (FIPS), and Cybersecurity Maturity Model Certification (CMMC), among others.
- SIEM integration: Organizations can keep their environments secure by integrating metadata from sensitive content communications with security information and event management (SIEM) data for single-pane-of-glass alerts, logging, and event response. Integrations include IBM QRadar, ArcSight, FireEye Helix, LogRhythm, among others.. Kiteworks also has integration with the Splunk Forwarder and Splunk App.
- Audit logging: Kiteworks enables immutable audit logging, enabling organizations to trust that they can detect attacks sooner while maintaining the correct chain of evidence to perform forensics. Since the platform merges and standardizes metadata from multiple sensitive content communication channels, its unified Syslog and alerts save security operations center (SOC) teams crucial time and helps compliance teams to prepare for audits.
- Single-tenant cloud environment: File transfers, file storage, and access to files occurs on a dedicated Kiteworks instance, deployed on premises, on Logging-as-a-Service resources, or hosted in the cloud by the Kiteworks Cloud server. Tist means no shared runtime, databases or repositories, resources, or potential for cross-cloud breaches or attacks.
- Data visibility and management: The CISO Dashboard in the Kiteworks platform gives organizations an overview of their data: where it is, who is accessing it, how it is being used, and if it complies. Help your business leaders make informed decisions, and your compliance leadership maintain regulatory requirements.
Get more details on how Kiteworks enables organizations to manage data sovereignty, centralizing metadata for all sensitive content communications in one pane of glass by scheduling a custom demo today.