Data Sovereignty and the Cloud: Are You Compliant?

The rapid adoption and popularity of cloud and SaaS applications such as Microsoft Office 365 and Salesforce have introduced a better way to collaborate and share data, and have provided businesses with improvements in efficiency and lowered IT costs. SaaS and cloud computing are changing the paradigm for how we work.

As you move to the cloud, you also introduce some risk to your organization. As data moves between individuals and collaborators, between endpoints, and across the globe, new security requirements are necessary to keep your data safe and to keep your business compliant. In fact, according to a study in CipherCloud Survey, 64% of organizations cite the issues of compliance, auditing and privacy as the biggest security challenges associated with cloud computing.

Global team

Data Sovereignty Concerns are Global

Indeed, questions of data ownership, individual privacy, and data residency have moved to the forefront both for IT and for governments around the world. Many countries, such as France, Germany, Japan, and Australia, have taken a leading role addressing questions of data residency and data sovereignty. Data sovereignty is the concept that digital data is subject to the laws or legal jurisdiction of the country in which it is stored. In 2014, Australia drafted The Australian Privacy Principles, a set of mandatory data management requirements to help protect individuals privacy. Seven of the 13 principles are relevant to data in the cloud and data managed by SaaS solutions.

Although data sovereignty and data residency regulations are set by the government, responsibility to meet those regulations fall on both the organization and the vendor selling within a given country.

Tips for Maintaining Compliance

So how do you maintain data compliance and data security as you move to hybrid or cloud environments? First, recognizing that data compliance for cloud and SaaS applications require consensus and participation between IT and all departments that are now using the SaaS or cloud apps. IT is still responsible for the data, but may no longer own the application. This is a shift from the role of IT and software in an on premise environment.

So where do you start? Here are some common sense guidelines to help prepare your organisation for a move to the cloud in a way that meets compliance guidelines for data sovereignty and data residency in your part of the world.

  1. Understand your country’s rules and regulations regarding data sovereignty and data residency. Currently these laws are evolving to catch up with technology. It’s your company’s best interest to ensure you are compliant with the most recent policies and regulations.
  2. Review your vendor’s security and privacy policies. Prepare questions regarding treatment of data, and data movement with regard to data sovereignty and data residency. It’s your responsibility to vet your vendors on their adherence to your country’s data sovereignty and personal privacy regulations.
  3. Obtain documentation from the vendor detailing their security features, certifications, and protocols. Ensure their security mechanisms address cloud solutions.
  4. Backup your data. When moving any data to a SaaS solution or to the cloud, ensure that your data it is safe and protected in the cloud, just as your data was protected when on premise: back it up. Configuration errors, ransomware and malware threats, and accidental deletion are real issues to prepare for and protect against. And ensure the companies you evaluate to backup your data meet your country’s data sovereignty principles.

Download Complying with SaaS Data Management Principles: Australia and New Zealand