What is data sovereignty?
Data sovereignty is the concept that digital data is subject to the laws of the country in which it is processed.
Software as a Service (SaaS) and Cloud storage services have dramatically increased in popularity in recent years, but their use often entails international data transfers, which can result in major compliance challenges for users and providers.
This is particularly true when it comes to compliance with the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive)/NIS Regulations.
Data sovereignty and the EU GDPR
The EU GDPR applies to the processing of EU residents’ personal data, regardless of where that processing takes place. Moreover, it applies to both data controllers and data processors, so, whether your organisation uses or provides a Cloud service that processes EU residents’ data, you must comply.
The Regulation also introduces mandatory breach reporting, and requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data.
If you are GDPR compliant, you risk regulatory fines of up to €20 million or 4% of global annual turnover (whichever is greater), legal action from aggrieved data subjects, and reputational damage in the case of a breach.
International data transfers under the GDPR
Chapter V of the GDPR states that personal data can be transferred outside the EU under two circumstances:
- On the basis of an adequacy decision (Article 45).
- When subject to appropriate safeguards (Article 46).
(There are also a number of derogations for specific circumstances, which are listed in Article 49.)
1. Adequacy decisions
As under the EU GDPR’s predecessor, the Data Protection Directive 1995, transfers of personal data to a third country (i.e. one that is not an EEA member), a territory or an international organisation may take place only if the European Commission has decided that there is “an adequate level of protection”.
To date, the Commission has adopted 13 adequacy decisions – with Andorra, Argentina, Canada (for transfers to commercial organisations that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA)), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified to the EU–US Privacy Shield).
2. Appropriate safeguards
If there is no adequacy decision, controllers or processors may transfer EU residents’ personal data to a third country or an international organisation if they provide appropriate safeguards and “enforceable data subject rights and effective legal remedies for data subjects are available” (Article 46). Appropriate safeguards may be provided by:
- Legally binding and enforceable instruments;
- Binding corporate rules (explained further in Article 47);
- Standard data protection clauses;
- Approved codes of conduct; or
- Approved certification mechanisms.
Data sovereignty and Brexit
The UK’s withdrawal from the EU will create greater challenges for organisations that process EU residents’ personal data.
Learn what you need to do to prepare for Brexit
Data sovereignty and the NIS Directive
The NIS Directive applies to operators of essential services and digital service providers (DSPs), which include providers of Cloud computing services such as SaaS, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Enterprises with a turnover of less than €10 million do not fall under the scope of the Directive.
Article 16 of the Directive states that DSPs must “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services”.
These security measures should “ensure a level of security of network and information systems appropriate to the risk posed”.
DSPs must also “take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services [they offer], with a view to ensuring the continuity of those services”.
The European Commission’s Implementing Regulation, which sets out the rules for implementing the Directive, clarifies that the “appropriate and proportionate technical and organisational measures” noted in Article 16 can be managed under the guidance of standards such as ISO/IEC 27001:2013 and ISO 22301:2012, which set out a best-practice approach to cyber resilience.
Find out more about cyber resilience
The UK government will carry out a consultation on the Implementing Regulation once it is finalised, but has stated that its approach is “likely to be based around ensuring consistency with the Single Market, so that [DSPs] can have a consistent approach in regard to security standards measures across the UK and the Single Market, and is likely to follow the guidance published by [ENISA]”.
All of these requirements can be met with a robust cyber resilience posture that combines information security and business continuity best practice.
Find out more about the NIS Directive/NIS Regulations
ISO 27001 and ISO 27018
Increasing numbers of companies are seeking certification to international standards as a way of demonstrating their compliance with the information security requirements of the GDPR and other laws that relate to data security and privacy.
ISO 27001 is the international standard that specifies the requirements of a best-practice information security management system (ISMS) that will help you implement the “appropriate” organisational and technological security measures required by both the GDPR and the NIS Directive.
ISO 27001’s companion standard ISO/IEC 27018:2019 provides specific control objectives, controls and guidelines to help organisations involved in Cloud computing protect personal data in public Clouds.
Find out more about ISO 27001
Cloud security consultancy
IT Governance’s Cloud security compliance readiness assessment and remediation consultancy service gives you an objective assessment of your compliance with the 14 Cloud Security Principles (14 CSPs), the Cloud Security Alliance’s Cloud Controls Matrix (CSA CCM) or the Cloud Security Alliance’s Security, Trust and Assurance Registry (CSA STAR). We are an approved G-Cloud supplier.
Find out more about Cloud security consultancy