With the ever-evolving global data privacy landscape and the requirement such as data localisation, Governments of various nations, backed by their political ideologies and powered by trade interests, are drawing up new data protection regimes. These regimes oversee public sectors and private organisations to secure the rights of individuals over their privacy; however, the onus is on the individuals to be aware of how and when to exercise their rights.
Data localisation is a critical requirement for organisations to continue running their business within the country, maintain data security and individual privacy and restrict cross-border data flow; it normally requires organisations to store and process personal, critical, or financial data within a particular territory in which it originated and often subject to the access and local regulations.
Various driving factors for such regimes can be broadly categorised into:
- Regulatory drivers, which include data privacy concerns, nationalism, and the economic value of data, and
- Market drivers include highly regulated sectors such as Health, Finance, and certain country’s Governments emphasising data sovereignty within Request for Information and Request for Proposal documents.
Irrespective of the underlying intent of governments to protect their citizen’s data, prevent foreign surveillance and bring it under their jurisdictional umbrella, data localisation has an impact on the cost of compliance, the efficiency of operations, and the use of resources for private and public organisations.
Data localisation challenges in the cloud environment
Moving sensitive data to the cloud brings new challenges concerning data localisation, for e.g.:
- Data Centre could be located anywhere globally, which raises more compliance requirements pertaining to specific geographical locations. Data Centre may be present in one country but owned by an organisation headquartered in a different country. In that case, the organisation may have the right to access the data based on certain cross-border data regulations agreed upon among both the countries.
- Database may be owned and operated by third-party providers, so accessibility and visibility may get impacted. For example, cloud consumers may not have the desired level of access to their data and not know which individuals in cloud providers have access to the database.
- Missing regulatory compliance requirements can lead to regulatory fines, sanctions restricting business activity, and reputational and business loss.
Understanding data localisation trend
Data Localisation requirement implementation often demands business and data transformation. For e.g.
As per the Draft Data Protection Bill of India, Indian citizens’ data is to be stored and processed within its territory.
All data collected on EU citizens are required to be stored in the EU or within a jurisdiction that has similar levels of protection.
The data operators must ensure that Russian citizens collected personal data, its systematisation, storage, updating, extraction etc., are performed through the databases located in Russian territory.
Critical Information Infrastructure operators and Personal Identifiable Information processors are required to store all collected and generated personal data within mainland China if they cross the data volume threshold set by the Cybersecurity Administration of China.
Given such stringent requirements, organisations may choose to host Data Centre locations in countries that mandate data localisation; and thereby reduce their operational complexity of data transfer requirements due to the business and legal, security, and privacy controls responsibilities in different countries.
A comprehensive strategy for data localisation implementation
With a clear understanding of data localisation trends and associated challenges, organisations can build the shared resources’ governance model, agree upon different aspects of security management, and define clear responsibilities for the cloud consumer and providers. Organisations can follow below mentioned best practices and focus on building a comprehensive data-centric security strategy:
- Understand the data being generated/collected, processed, and managed for the business, and remove unsolicited data at the earliest
- Identify regulatory laws applicable to your business and which country requires data to be stored locally and/or accessed / processed out of the country
- Analyse the organisation’s assets, data, threat actors, and previous risk assessment results as input, and perform an initial assessment of applications, network, infrastructure, and system development life cycle, etc.
- Define and implement a strategy to protect sensitive data in legacy systems and implement the country-specific applicable data protection requirements and controls to store and back up the data securely
- Implement a “do once, use many times” framework to save the cost, time, and staff effort required to conduct repeated security assessments against multiple regulatory requirements
- Use Continuous Cyber Compliance Monitoring to have a more standardised process environment, increase stability, streamline future rollouts to additional regions and maintain regulatory requirements
- Regularly do a due diligence check for the cloud partner’s compliance adherence against the regulatory requirements and ensure that they implement all the applicable provisions
- Monitor, manage, report, and take appropriate actions on regulatory non-compliance and related incidents across the organisation and the cloud ecosystem
by Deepa Seshadri, Partner and Neelima Tople, Manager, Deloitte India