Once something of a compliance specialty, data sovereignty has become a strategic imperative for any organization operating internationally. If you collect, store, or process information across borders, you’re now (or soon will be) under pressure to prioritize the in-country control and protection of residents’ data. Otherwise, you risk both financial penalties for being non-compliant, and reputational fallout for failing to take it seriously.
Avoiding these pitfalls begins with asking two straightforward questions pulled right from the information governance playbook: Where does a person whose data you use reside, and where is that data being processed? If the countries listed in response don’t match, then you may have a sovereignty problem.
Not New, But Now Pressing
I first encountered this issue in the 1980s as editor of a tech newsletter about what we then called “transborder data flow,” with a focus on the then-newish ability to transact electronically across national boundaries.
Today, the issue is far broader and more strategic. According to Fortune Business Insights, the growth of sovereign cloud services “is driven by several factors, including greater compliance with regulatory requirements, meeting the need for enhanced data privacy, and allowing government organizations to retail full control over their data.”
Here’s a great example of why this is so: A client in a non-U.S. federal government subscribed to a U.S.-based cloud service by signing up online and entering his credit card number. However, he didn’t realize the provider’s servers were not located in his country, so this simple and familiar transaction caused him to instantly and unwittingly violate his data sovereignty laws. Needless to say, consequences ensued.
Data Sovereignty is a Core Governance Responsibility
Instances like this are why organizations are under pressure to ensure that local data does not cross international borders. The financial, legal, and reputational ramifications of coming up short are becoming increasingly difficult to ignore, so now is the time to audit the way you collect, store, and transfer your information – or in other words, to raise your governance game.
The organizations that do this most successfully will not be those with the largest governance budgets or the most sophisticated technologies, though there are automated tools that can facilitate the process. (Not for nothing, our own Governance Accelerator is one of these.) Rather, they will be the ones with a clear understanding of their information landscape and a commitment to act upon that knowledge.
So in the end, as sovereignty requirements continue to sharpen, the question is no longer whether you should know where your data is stored and processed, it’s when you’ll be compelled to report on it.