Data Sovereignty and supply chain management

What is data sovereignty? 

Data sovereignty is the concept that digital data is subject to the laws of the country in which it is processed. 

SaaS (Software as a Service) and Cloud storage services have dramatically increased in popularity in recent years, but their use often entails international data transfers, which can result in major compliance challenges for users and providers. This is particularly true when it comes to compliance with the UK GDPR (General Data Protection Regulation)  

What does this mean in practical terms? 

To quote the NCSC (National Cyber Security Centre) 

“One of the UK’s most valuable assets is its data. Together with the data centres that hold and process it, it underpins almost all facets of modern life. This makes data centres an attractive target for threat actors, due to the large and diverse amount of information they hold that supports our national infrastructure and businesses.” 

Managed hosting or cloud hosting providers sometimes store your data in multiple locations, not necessarily in the UK. It is important you know where your data is stored, since some countries such as China and Russia have laws that could put it at risk. 

If a data centre, or data processing partner you use is open to foreign direct investment (FDI), shareholders from a country hostile to the UK may be able to gain greater influence over operational decisions, including security-related ones. This may increase the risk posed to your infrastructure and/or data should shareholders be linked to or pressured by their domestic government, which may be hostile to UK interests. 

What does UK GDPR have to say? 

The UK General Data Protection Regulation (GDPR) sets out key principles which data controllers and data processors must comply with when processing personal data, including restrictions on personal data being transferred out of the UK unless the jurisdiction has adequate levels of data protection or there are appropriate safeguards in place 

Depending on the sensitivity of your data, or your obligations under UK GDPR, you may wish to ensure that at a contractual level with your provider, your data is only ever stored within an agreed jurisdiction (for example, countries that form part of the data adequacy whitelist, or restrict to only UK providers) to mitigate any risk. 

But the USA is fine… isn’t it? 

Currently No. 

On July 16, 2020, the European Union Court of Justice (ECJ) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). The court determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU law, namely GDPR.  

Whilst the UK GDPR is fully in line with the EU enactment, the same judgement is true in terms of UK GDPR.  

Read our dedicated article on why Privacy Shield was invalidated. 

What do I need to do? 

It is essential that you review your supply chain, and that due diligence is undertaken in line with information governance.  

• Ensuring that your suppliers are either UK based or have appropriate mitigations in place 

• Review their data practices and accreditations for example, Cyber Essentials, Cyber Essentials plus and ISO 27001 certifications. 

Find out how e-shot would process and protect your data.