What CIOs and IT heads should evaluate about data sovereignty

The world of data regulation is complex and vast. Laws often vary from region to region and country to country, governing where companies store data and where that data can reside while in transit.

Given the multiple, sometimes inconsistent array of data regulations, the responsibility for staying current on data sovereignty often falls on the shoulders of IT teams. The stakes for compliance are high. Running afoul of the many regulations or laws can cost companies and individuals money and resources.

Given this, here are a few essential tips about data sovereignty.

1. Know whose rules to follow. When it comes to data sovereignty, there's one fundamental consideration. Who has authority over the data? Given diverse and overlapping jurisdictional mandates, this question is not always as straightforward as it seems. But the country in which data is collected is critical. For instance, if you collect data in the U.S., you'll need to adhere to U.S. laws. If you collect data in India, you'll need to adhere to Indian government regulations.

2. Ask the right questions. Privacy and security are two critical factors for responsible stewardship. However, privacy and security protections are not often straightforward. Make sure you understand government regulations in these two areas or find local legal counsel with expertise in privacy law. With data sovereignty, proactive beats reactive. If issues arise, counsel may be well worth the cost.

3. Know what to retain. Data retention policies are put in place for our protection. However, it's difficult for lawmakers to stay current with ever-changing technological advances and data usage. Consequently, sovereignty's practical and legal realities are intertwined, overlapping, and incredibly complex. If you're unsure of what to keep and for how long, seek expert counsel to ensure your IT policies hold on to the correct information. Aside from understanding more extensive data retention policies, ensure data is kept as safe as possible through encryption.

4. Manage compliance risk. Other complexities, such as the type of data and the entity storing data, will affect your policies and risk management planning. The more sensitive the data, the more investment you'll need to make in security and risk management. Even within a single organization, compliance depends on the type of data. For instance, credit card data should be treated differently than anonymized server logs. Non-published public company financial data needs to be treated differently than individual health care records. There are essential distinctions between regional and international laws, and each must be considered.

5. Plan and execute migrations carefully. Often, laws mandate that organizations store their infrastructure and data within their country's jurisdiction. These laws often prohibit data storage outside their domain, even for a moment. Therefore, it's vital to have a plan when moving data from one location to another. Assess your data, clean it up, and know how you'll move it. Often, this means investing in software that will give you the ability to specify where your data resides while in transit.

6. Educate Others. Noncompliance can lead to hefty fines, legal action against your organization, or even criminal charges. For this reason, business leaders and managers must understand data sovereignty laws. If you're an IT professional with an MSP, make sure your clients know the rules, and communicate how you'll keep your company in compliance.

Maintaining and understanding data sovereignty is an ongoing process requiring thought and care. Laws and regulations evolve from region to region, and best practices for keeping data sovereignty compliance include accountability, the establishment of policy, investment in technology, and education.

The tech world changes every day. If you don't stay current, you and your business can fall behind quickly. With massive amounts of data on the horizon, enterprises must understand their obligations surrounding data sovereignty.

The author is the Managing Director for the Asia Pacific for BitTitan, a cloud enablement services provider