Why the Geopolitical Landscape Should Be a Key Consideration When Choosing Where to Store Your Data
Guest author: Ian Brown, Chief Information Security Officer at Spectris
Published on 18th January 2023
Working in the cloud has become part of our everyday life. As a result, organizations around the globe are constantly looking to implement cost-effective, scalable, and secure solutions.
However, how many of us consider the ever-evolving geopolitical landscape and specific data protection laws as part of our decision-making process when it comes to introducing and running these new solutions? Implementing a successful cloud risk management solution is a clear way to incorporate these factors automatically.
This is particularly important when you consider that it’s not uncommon for an organization to have offices or employees based in several different locations across the globe. How we use and exchange data between those locations will change as a result of the geopolitical landscape of the time, making it a complex exercise, to say the least.
Legal protocols surrounding the sharing and storage of data change depending on where you are in the world. To complicate matters further, these measures are constantly being updated to reflect whatever political tensions there may be at a given time.
For example, according to research conducted by the Information Technology and Innovation Foundation (ITIF) the number of laws and regulations for global data localization has more than doubled in the last five years, rising from an initial 67 across 35 countries to 144 in 62 countries. The penalties for breaching these laws can be severe, and according to IBM’s Cost of a Data Breach Report 2022, 45% of data breaches occur in the cloud. The average cost to organizations is between $4 million and $5 million, depending on whether they operate within the public or private cloud.
When handling and sharing international data, organizations must ensure data privacy is not put at risk.
Why are data regulations important and how do they impact business processes?
Each country has its own data protection laws, some more strict than others. Your data is crucial to your business, so knowing the complexities of the laws governing it is vital but challenging.
Typically, these laws and regulations are split into three separate categories, and it’s important to know the difference between them.
- Data residency
- Data sovereignty
- Data localization
The three categories are closely related, but also refer to concepts with very different meanings. Not understanding the difference between them could lead to significant sanctions, if your organization was subject to a data breach.
Below is a definition of each:
- Data Residency – Data residency is the least restrictive of the three concepts. It refers to the location where a government body, industrial body or business specifies its data will be stored.
- Data Sovereignty – Data sovereignty is more restrictive. This is the idea that data is subject to the laws of the country where it is collected, processed and stored.
- Data Localization – Data localization is the strictest concept of the three. This means keeping the data of businesses within the borders of a specific country.
Confining data within one country’s borders not only jeopardizes an organization’s security but can also seriously restrict trade and how businesses function on a day-to-day basis.
Some laws can be masked as an attempt to address privacy concerns in order to conceal the real motivation behind them.
How do geopolitical events impact your data?
The world is a complex place, and certain geopolitical events can lead to significant changes in laws, government policies and economies.
For these reasons, your organization should be aware of the geopolitical landscape. There may be a need to pivot between strategies in order to stay compliant, and to be able to swiftly adapt to policy changes when required.
The Russia/Ukraine conflict
The current conflict between Russia and Ukraine has impacted multiple organizations in both countries and around the world. New regulations from Russia are a particular cause for concern, as it recently approved legislation that restricts the transfer of data abroad. If companies registered within Russia wish to do this, they must notify the state regulator in advance.
The legislation is a direct response to Western sanctions following Russia’s invasion of Ukraine. A note accompanying the bill read: ‘the cross-border transfer of data poses a significant threat in the current foreign policy situation’.
Another example is Britain’s withdrawal from the European Union. This led to questions from UK-based organizations about cloud storage and data transmission across multiple locations within the EU. The solution was to class the UK as a ‘third country’ under the EU’s General Data Protection Regulations (GDPR). (Find out more about what Brexit means for GDPR in the UK here.)
The UK has adopted GDPR into law and follows the same principles as the EU, the only difference being that the UK has the authority to review it at any time. As a result, UK data can move freely throughout the EU with minimal exceptions.
It’s important for your organization to be agile in these circumstances to ensure your data is protected, and you are adhering to jurisdictional guidelines.
What steps can you take to protect your organization and its data?
Understanding the laws and regulations surrounding your organization’s data use is vital, especially in terms of the differences between data residency, data localization, and data sovereignty. Conducting an audit of your network will provide a better understanding of your obligations regarding storing and sharing data across borders.
A good place to start is by asking some simple questions:
- Where is your organization’s personal, financial and client data created or processed?
- Where is it stored and who owns the data center it is stored in?
- What are your back-up procedures? E.g., where is the data backed up to? This will have implications on its security.
- How well do you know your cloud provider’s privacy regulations? And have they disclosed where their data centers are located as well as the regulations attached to them?
The geopolitical landscape is constantly changing, so understanding the answers to these simple questions could be crucial in protecting your data from risks that occur through events that are outside of your control.
To hear more from Ian Brown, check out this episode of our Capability-Centric GRC & Cyber Security podcast. We have an in-depth discussion about the burdens of managing cybersecurity and compliance within his role at Spectris.
SureCloud’s GRC Solutions
SureCloud’s GRC software and services can provide you with a cloud risk management solution that helps mitigate the potential challenges of data governance. To learn more about what we can offer you, get in touch with a member of our expert team.