Data sovereignty: A critical consideration in your cloud strategy

Data sovereignty requirements often vary by country and mean that data must remain within a country’s borders

New Update
Data sovereignty

Data sovereignty is a crucial topic of conversation for businesses looking to transition to the cloud, and it is not going away any time soon. Unfortunately, some organizations overlook the complexities of data sovereignty when planning a move to the cloud. This can have dire consequences.


Data sovereignty is the idea that data is subject to the laws of the country in which it is collected or processed. Data sovereignty requirements often vary by country and mean that data must remain within a country’s borders. Many countries have had these laws for decades, and new privacy laws, such as the General Data Protection Regulation (GDPR), only make them more prominent. For example, countries like Russia, China, Germany, France, Indonesia, and Vietnam require their citizens' data to be stored on physical servers within the respective countries. The reasoning is that it’s in their citizens’ best interests to protect personal information against misuse, especially outside of a country’s jurisdiction.

Adhering to data sovereignty regulations adds complexity for companies looking to migrate data internationally. Before beginning a migration, IT teams must address several questions: 

  • How is your data classified? Identify which portion of your data is sensitive and why. Craft a plan for how you will protect it.
  • How much data is moving? Determine what data you need to migrate and what you don't need. Not everything must be retained.
  • Who will access your data? Limit access to those who need it to complete the migration. Manage credentials accordingly and deactivate these once the project is complete.
  • What happens to the data in transit? Will it be temporarily stored somewhere? Encrypt the data while it’s in transit to ensure that it won’t be compromised during its journey.
  • What happens to the data post-migration? After the migration is complete, make sure to destroy any copies of your data. Decommission and sanitize the old infrastructure and clear all data.

Major public clouds have data centers already distributed globally. When moving data, these data centers let companies designate in which region they want their data to reside instead of building a data center. The cloud can also provide a significantly more efficient and scalable solution for companies to maintain their current data growth rates without continually expanding capacity ahead of anticipated growth. Once a cloud provider and region have been identified, IT teams can turn their attention to meeting the data sovereignty requirements of their specific region.

Data sovereignty carries regulatory and legal complexity. Developing a thorough understanding of where company data resides during its lifecycle and under whose jurisdiction is not easy. But with careful planning and proactive steps to address the applicable data sovereignty regulations, IT teams can ensure they’re able to move their data legally and securely to its destination. 

Brad Rosario Hi Res Headshot

The article has been written by Brad Rosairo, APAC Managing Director, BitTitan