Data sovereignty: Keep your critical data close

Monday 19 September 2016

Author: Shannon Simpson, CEO, CNS Group – an independent, UK based cyber security consultancy. CNS Group are exhibiting at IP EXPO Europe 2016 alongside Telent on stand GG20.


We are post-Brexit and people are looking to the future. We are all analysing the risks and opportunities the current political climate poses to businesses. One contested area for the IT security industry is how to progress with the EU General Data Protection Regulation (EUGDPR) – due to come into force on 25th May 2018. The regulation requires organisations of all sizes to know exactly where in the world any held personal data, by which an EU citizen can be identified, is stored and managed. If an organisation does store this data they (as the Data Controller) and their Service Providers (as Data Processors) would still have to comply (whether the UK is a member of the EU or not). As this regulation drives higher data governance and protection standards it makes little sense to retreat from this legislation – particularly if we still intend to have any kind of data sharing relationship with the EU.


Brexit also gives us an opportunity to differentiate the UK and build an international reputation as a safe-haven for sensitive data. Leaving the EU allows us to also introduce our own laws and regulations to protect data stored in the UK. Either way, if comprehensive questions about data sovereignty are not already part of your data governance strategy, they should be.


Defining the right data safeguards

European data protection laws were enacted before cloud became a pervasive computing option, but their intent was clear, that personal data could only be transferred to countries that could demonstrate the right data safeguards.  So who defines what is ‘right’?


Organisations have since realised that, if their data was held in the cloud by a company registered in any foreign country, the provider would be compelled to abide by the local data access and privacy laws. This lack of control over data put European companies using cloud services and applications at risk.


In response to concerns about data location, France and Germany have already brought legislation into force that all personal data must be held in country. Companies such as Amazon and Microsoft are investing heavily investing in European facilities to help their customers choose where in the world they want to store information. But in our experience, changing the location of a service provider’s data centres is not enough to prevent UK companies potentially falling foul of data protection legislation.


Questions for data sovereignty

This diversity of regulatory frameworks will be a challenge for global organisations and cloud providers.  The EU is one of the few areas seeking to harmonise legislation and reduce the administrative burden for any organisation that processes EU residents’ personally identifiable information (PII).


From 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into force bringing with it much stiffer penalties for data breaches. The focus of much written about these new rules this legislation also brings a much broader definition of personal data and more stringent privacy risk assessments.


If organisations are going to reduce the risk of data protection non-compliance – UK Plc needs greater control of data sovereignty.  And even if the major cloud providers take an “if we build it locally they will come” approach, having a UK or European data centre may not be enough to ensure comprehensive compliance.  In our experience, if you are considering any cloud-based service, you should be asking providers the following questions:

  1. Where is your data stored?  
  2. Who has access to your data?
  3. Where is your data backed up?
  4. How is your data encrypted?


What should your next steps be?

As part of your data governance strategy, you may decide that it is an acceptable risk to hold some information offshore, but in some instances organisations will not have a choice.


Post-Brexit, if we still want to trade with the EU and maintain our relationship, we will still have to comply with the EUGDPR. Although the rules still have some time to evolve, as the EUGDPR creeps closer, businesses of all sizes will need to ensure that they meet data sovereignty requirements as part of their overall compliance with the directive.

Next steps

  • Build a data governance strategy; understand where your data is retained, where your data is backed up, and whether or not it is encrypted
  • Understand who has access to it your data. Seek clarity on who administers it and what type of reporting you will receive
  • Think about how your data governance fits within your wider cyber security maturity model
  • Demonstrate your commitment to cyber maturity with the right accreditations from Cyber Essentials to Public Service Network (PSN) AccreditatioEnsure you will comply with EU Data Protection by choosing Data Sovereign MSSPs


If you’d like to find out more about data sovereignty and how it’s impact on UK businesses, click here to sign up to our BrightTALK webinar, on Wednesday 7th September.

Social Media



IP EXPO | LinkedIn

The home of IP EXPO Event Series