The Future Of Data Security: Data Residency, Sovereignty And Localization Are All Here To Stay

You’re probably all too familiar with the challenges of crossing international borders—long queues, restrictions on destinations, impacts on employment clearances and the threat of invasive searches. Governments have to continually balance the tension between restricting undesirable movement and maximizing the economic vitality that can be gained through more trade and travel with a variety of other geopolitical factors.

In the digital economy of today, this balancing act has now shifted to controlling the flow and storage of data across borders. There is a discernible trend as more and more data residency (membership required), data sovereignty and data localization requirements are proposed, enacted and enforced across the globe.

Understanding Data Residency, Sovereignty And Localization

Before delving into the implications of these requirements on data, it is worthwhile to understand the differences and similarities between these three distinct requirements.

• Data Residency: Data residency requirements dictate the physical location where data is stored and processed. Data residency is often an internal policy requirement or contractual commitment provided to customers independently of any other regulatory requirements or the source of the data.

Companies may decide to base all their operations and data in certain geolocations for a multitude of reasons, but most commonly it is to take advantage of certain tax benefits or other commercial incentives.

• Data Sovereignty: Data sovereignty requirements encompass the legal and regulatory mandates used to exert control by a country or region over data within their borders. Increasingly, these mandates empower individuals to exert more control over their own data. Companies are required to comply with these regulations based on the location of the data.

• Data Localization: Data localization requirements are typically regulatory mandates that enforce the storage and processing of data within the country or region it was created. Companies are required to adhere to this requirement for all data when operating in certain countries or regions.

In summary, data residency outlines the intended geographical storage and processing of data, data sovereignty is about the rights and control over data based on the jurisdiction of the data storage and processing, and data localization mandates data to remain within a specific location and jurisdiction.

What This Means For CISOs

Complying with the need to control data as a result of these emerging requirements is increasingly landing at the feet of the CISO, who is already tasked with securing and controlling the flow of data across the organization.

To effectively navigate the challenges imposed by data residency, data sovereignty and data localization, CISOs are now expected to know what data is within a data store, where it is and where it is going, and be able to translate data protection laws, regulations and policies into enforceable security controls.

At a minimum, CISOs must take a multifaceted approach to data security. This starts with classifying and mapping the organization’s data, identifying where data is stored and flowing, and identifying the sensitivity, geolocation, legal requirements and other business needs associated with it. This exercise helps identify the data that requires specific data residency, sovereignty or localization measures and third parties that are involved in handling the organization’s data.

Based on the data inventory, CISOs should task their legal and compliance teams with providing them with a comprehensive assessment of the data protection laws, regulations, governmental policies and contractual commitments to customers in the countries where data is stored or processed. They should focus on specific requirements and restrictions imposed by these jurisdictions, including any data transfer limitations or mandatory data localization rules.

By understanding the implications, CISOs can help their organizations make better-informed decisions regarding data storage and processing, ensuring compliance with regulations and safeguarding sensitive information.

In addition, the legal and compliance teams should further be tasked with assessing the existing data processing agreements with vendors and partners involved in handling the organization’s data. Ensure these agreements align with data residency and data sovereignty requirements, outlining responsibilities, security measures and limitations on data access and transfer.

Most importantly, the security and protection of the data in scope should be assessed and remediated to reduce the risk of unauthorized access, destruction and alteration of data, in addition to the identified compliance issues.

These steps sound simple and achievable, but without the proper visibility and tooling to provide the fine-grained visibility needed, multinational organizations may struggle to prove their ability to meet the increasing number of data residency, sovereignty and localization requirements they encounter.

It’s not surprising, then, that CISOs are increasingly turning to data-centric tools, such as data security posture management, to power their understanding, monitor access and observe changes to the data within their environments. Without evidence-based data to demonstrate their fine-grained control of data, they know that it’s difficult to keep up with regulations.

This article originally appeared here: