Data residency and data sovereignty: what's the difference?
The terms 'data residency' and 'data sovereignty' are similar as they both relate to where data is stored, but they are very different. Data residency refers to the geographical location of data, whereas data sovereignty relates to the laws and governance structures that data is subject to, due to the geographical location of where it’s processed.
Phil Bindley, Managing Director or Intercity’s Cloud and Security Division, believes that the location of data "has become increasingly important due to an increased demand for cloud storage, as many businesses shift to hybrid and remote working."
In real terms, ParkMyCloud reported that three quarters of enterprises now define their strategy as hybrid or multi-cloud.
And while cloud-based services can offer organisations significant value in terms of collaboration, Bindley suggests that "using these applications leads to an increase in international data transfers." This can result in compliance issues for users and providers, "due to the ever-changing and differing data protection and privacy laws across the world."
Following the UK’s exit from the European Union, Bindley adds that "data transfers from the UK to the EU are safeguarded by the Adequacy Decision announced on the 28th of June 2021, meaning personal data can continue to flow between the two without the need for organisations to ensure appropriate safeguards apply."
While the UK’s data protection regime is deemed adequate until 27th June 2025, Bindley said "this will only be renewed if the UK continues to protect the personal data of EU residents, in line with the EU GDPR rules. If UK data protection law significantly diverges from the EU GDPR, the Commission could withdraw this decision."
In further discussion with Binley, we explored what these regulatory changes mean for businesses.
So what do businesses need to be aware of when it comes to tracking data?
"Taking a multi-cloud approach means businesses will be storing data across the different sites that they use for different activities, such as HR or payroll. While we’re not suggesting turning back the clock on cloud migration, it’s important to closely examine where your data resides, what’s in the small print, and whether your cloud services provider is being transparent.
Once data is in the cloud, a lot of businesses will assume its security is the responsibility of whoever runs that cloud, such as Microsoft for Microsoft 365. However, the security for that data is still down to the business itself, and it’s the business that will be at risk if the data is breached or lost. Having clarity over what data is held and where it sits in terms of its sovereignty and residency is vital, so staff and customers can be assured their data is in safe hands.
Despite its importance, keeping track of data within these different sites often falls to the wayside for SMEs, as they don’t employ a Data Control Officer who can take responsibility for it, meaning no staff member or division feels accountable for keeping data secure."
The risks of not keeping track
"If there was a breach, you need to know who is responsible for the security of the compromised data. The Information Commissioner’s Office (ICO) will come down much harder if the correct measures are not in place, so businesses must be able to demonstrate they have done all they can.
In 2020, British Airways was fined after users of its website were directed to a fraudulent site, where hackers were able to harvest the personal data of around 400,000 people, including login and travel booking details, names, addresses and credit card information. The ICO issued a fine of £20m - the largest fine under GDPR to date, as it found that the hack was the result of BA’s negligence. Not only did this have a huge financial consequence for the company, which was already suffering financially under lockdown rules, it caused a catastrophic blow to its reputation.
If you avoid thinking about your business’s data protection, either because you don’t understand how to take the first step or feel it’s not your responsibility, and then something goes wrong, there could be business-ending consequences. Are you willing to take that risk?
UK-based Tier 3 data centres
Our experts at Intercity can offer consultancy time, with a full review of your IT infrastructure and data storage. This will lead to Intercity sharing a proposal, covering the best ways to reduce risk, control costs and create a platform for growth.
Storing data with a third-party service provider like Intercity is also a cost-effective solution, as businesses only pay for what they use, resulting in a predictable spend analysis and no capital expense of buying hardware, software and setting up and running on-site data centres. Data is delivered from our UK-based, geo-redundant Tier 3 data centres, so the data is stored in geographically diverse locations across the country, to safeguard against catastrophic events and natural disasters, as well as to balance traffic for optimal performance.
When it comes to your data and where it’s stored, location is everything.
