The Data Sovereignty Dilemma of the Digital Workplace
If you are storing data in the cloud, be sure you can manage the storage location of the data to meet with data sovereignty requirements.
26 May 2015
The digital workplace has arrived. The transformation is done. The mobile workforce is a real and we are all a part of it. The arrival of the digital workplace has triggered the adoption of numerous cloud-based applications, bringing with it data leak risks and governance related challenges. Governments globally are responding to data threats by implementing more stringent regulations, particularly related to data privacy.
In my last post, I discussed how the digital workplace came to be and why organizations have rapidly started to adopt SaaS technologies to streamline processes in the global workforce. In this post, I’d like to talk about the data sovereignty challenges and questions that arise in the digital workplace.
Organizations that adopt cloud technologies need to understand the matrix of information governance policies, data privacy regulations, and coming data sovereignty laws that their business may or may not be subject to. That said, there are many complex issues businesses face with a particular eye on data sovereignty and a few items you should keep in mind while defining your cloud strategy.
The migration to the Digital Workplace and the importance of cloud services to deliver workers the resources needed have fueled marketplace changes that governments are only now catching up with. For instance, it’s been more than 15 years since the U.K. data protection act. Many organizations are still working out how to manage where data is housed and which country ultimately has jurisdiction over data in the post-Snowden era. The European Union Member put together a group representing the 27 member states to try and determine a solution to protect EU member’s interests.
Organizations need to anticipate the needs of their business to meet the compliance requirements in regards to the location of stored data and the processing of stored data in addition to how to effectively manage these needs in a world that has become increasingly distributed.
All of this has brought us new terms and new markets. ‘Data Sovereignty’ is the buzz word that many in our field have been talking about, and rightly so.
Data Sovereignty Questions to Ask Before Moving to the Cloud
As organizations migrate to the cloud, there are some key questions to ask before choosing a provider. This is vital to determining if the provider meets the requirements of the data sovereignty regulations for the country or countries in which you operate.
- How can the privacy of a citizen’s information be protected when it is stored outside of the country? What about with a foreign-based vendor?
- How can regulators ensure that they have access to sensitive information (e.g. financial information, drug trial data) stored outside the regulating country?
- How can national courts retain jurisdiction over enforcement of national laws for cloud-hosted data?
If you are storing data in the cloud, be sure you can manage the storage location of the data to meet with data sovereignty requirements. To accomplish this, consider whether it is the location of encrypted data or the encryption keys that matter. If access to foreign hosted data is managed in-country, will that meet the standard?
Also, it's important to think through what reporting requirements you need on the content stored. Does storing the content outside of the country impact your obligations to report on the content? This is the case where Microsoft is battling a subpoena from the U.S. court to share customer data stored in its Irish data center. This is a serious implication in the case of sensitive intellectual property. With data moving freely around the globe in multiple copies, who exactly owns that data, and to what country’s jurisdiction does all of that data fall under?
As the workplace became digital, the truth is that users moved to the cloud and brought the enterprise with them. Now enterprises must determining how to manage the emerging regulatory issues. The Microsoft case is certainly one to watch. As you look to evaluate partners offering cloud services, pay close attention to how the data’s physical location will impact your regulatory requirements so you can tether the data to the geography appropriate to your business.
How Enterprises can Manage the Data Sovereignty Dilemma
For global enterprises, there is no silver bullet to solve the challenge of data sovereignty regulation. Instead companies must design processes and information governance policies to fit the varying requirements that reflect their business and the geographies in which they operate.
Maintaining the regulatory compliance and governance of data starts with changing the way we think about data control. The old way of doing this was through encryption of data at rest and in transit. The protection was tied to the data’s physical location, not the data itself.
In the new digital workplace, we need to think about encrypting the data no matter where it is or where it goes. This is what we refer to as the separation of data control from the physical location. It no longer matters if the data is on a personal laptop or in a corporate server, the encryption travels with it — ensuring only authorized persons can view the content. Further, you want to be able to control whether or not the data is able to be used in certain places. The rules set on data are tied directly to its sensitivity. With this kind of location control, you could have data stored in one place, but only accessible in another. These capabilities — included in solutions such as Customer Managed Encryption Keys and Information Rights Management — is critical to the idea of centralized control over distributed data.
If you seek data location control, it is difficult to achieve it without incorporating some file-level encryption. Organizations need to enable a simple collaboration process that is near transparent to the user — frictionless. If you have rights to open a file — it opens. If you do not have rights, you get a message to let you know exactly what is going to happen. Any friction introduced into the process will result in a lack of user adoption.
Organizations must make decisions relative to the countries where they do business, where their content is hosted and who is accessing it, which relate back to a few key areas:
- Can I independently define where my content is stored, where (and how) it is accessed, and who may access it?
- Can I apply my data governance policies across my organization and to my users — even if they are using a personal device (e.g. computer, phone, tablet, or wearable)
- Is the architecture of my cloud provider nimble enough to react to changes in international regulations regarding data privacy?
As you move to the cloud, take a comprehensive look at all your bases. Be sure that your information governance and technology strategies align with current and foreseeable legal and data security requirements. It’s not an easy puzzle to solve, but with focus in the right areas, and with the right partners, it can be done. If these changes are not met, the concept of a global, productive, and compliant workforce with easy access to business systems and content could quickly be washed away.
Check out the recorded session of my presentation at Gartner Digital Workplace Summit, “Intralinks: Maintaining Content Control in the Digital Workplace” — now available at Gartner Events on Demand — if you want to learn more about how you can keep control of your content in the digital workplace.
Pete Brown is the Director of Product Marketing at Intralinks. He has broad industry experience in SaaS applications, with deep expertise in trends and technologies related to information sharing, mobile work and data storage. In his previous role at Sonain, Pete led product marketing for cloud-based email archive with responsibilities including developing market requirements, competitive intelligence and channel enablement programs.