If you’re a managed service provider who offers data management solutions, you are probably familiar with the technical aspects of serving, protecting and otherwise managing data spread across large geographic distances.
But are you also an expert in data sovereignty? If you serve clients whose data landscapes span multiple political jurisdictions, you need to be. Increasingly, understanding and addressing data sovereignty requirements is a key element of data management for MSPs who operate across borders. With that reality in mind, let’s talk about what data sovereignty means for MSPs.
What Is Data Sovereignty?
Data sovereignty is the concept of managing digital information according to the laws of the political jurisdictions where the data is collected or generated. Governments have the right to establish policies regarding how data that is stored within their borders must be managed, and data sovereignty is a recognition of those rights.
What Is Data Sovereignty?
Data sovereignty is the concept of managing digital information according to the laws of the political jurisdictions where the data is collected or generated. Governments have the right to establish policies regarding how data that is stored within their borders must be managed, and data sovereignty is a recognition of those rights.
For example, data generated in the European Union is subject to the data protection and privacy mandates established by the General Data Protection Regulation. Likewise, data generated in California must comply with the California Privacy Rights Act. The GDPR and CPRA are both examples of regulations established by governments or government agencies that require data stewards, meaning any person or organization who is responsible for data, to manage data in certain ways.
What Data Sovereignty Means for MSPs
Because MSPs typically support multiple businesses that may operate in a wide variety of regions, they face an especially complex set of rules related to data sovereignty. To avoid triggering penalties and fines, MSPs must address all applicable data sovereignty requirements for their various customers.
Any penalties and fines would typically apply to the organizations that own the data, not the MSPs they hire, although there may be exceptions depending on which compliance rules apply in a given context. Still, any MSP seeking to deliver great service and maintain an excellent reputation as a trustworthy data steward needs to be on top of its clients’ data sovereignty obligations.
Data Sovereignty Challenges for MSPs
Addressing data sovereignty requirements can be challenging in many respects, even for MSPs who are seasoned in data management.
Complex data management technology
Managing data sovereignty needs may require preventing data from leaving a particular jurisdiction so that the data sovereignty rules that govern it don’t change. For example, Russia requires personal data of Russian citizens to be stored in Russia. Companies like LinkedIn have faced access restrictions in Russia for not complying with these data localization laws.
Unfortunately, there is no easy way to guarantee data residency. You can’t simply establish controls at the file system or data storage infrastructure levels to prevent data movement out of a particular country, for instance.
Instead, MSPs must carefully track the physical location of data centers that store data, then ensure that data does not enter data centers that would bring it to a foreign region. Cloud identity and access management frameworks and geofencing tools can help on this front, assuming the data is stored in the public cloud.
Cross-border data transfers
Sometimes, data has to move across borders, creating ambiguities about which data sovereignty regulations to apply. This can lead to legal challenges, such as the 2020 Schrems II case involving data transfer from the E.U. to the United States. For MSPs, this means that answering the seemingly simple question of which data regulations apply to the data they manage can become a real challenge when their clients operate across multiple jurisdictions.
The need for multiple data centers
To respect data sovereignty, MSPs who manage data may need to operate multiple data centers, leading to increased operational complexity and costs. Even if you place data in public cloud data centers, which avoids the expense of having to build multiple data centers yourself, you must contend with the complexity of configuring, protecting and otherwise managing data spread across multiple locations.
Less flexibility
A core selling-point of cloud computing is the cloud’s ability to breed flexibility and efficiency. However, complex data sovereignty issues can undercut these capabilities, leaving MSPs who embrace the cloud with a lower return on investment on cloud investments due to reduced data mobility.
Best practices for managing data sovereignty
Unfortunately, there is no singular or simple solution for mitigating data sovereignty challenges as a managed service provider. There are effective steps MSPs can take to address the difficulties described above, though.
Maintain data catalogs
Setting up a data catalog that includes information about the data sovereignty and compliance rules that apply to each data asset is a key best practice for establishing visibility into which data sovereignty rules you must meet for clients.
Default to strict data requirements
Rather than trying to apply different data privacy and protection strategies depending on the local rules of each region where your customers store data, a simpler approach is to default to following the policies of the strictest location you contend with. That way, you get a uniform approach to data management that meets — or, in some regions, exceeds — whichever data rules your clients must follow.
Separate data from apps
Just because a customer hosts apps in one location doesn’t mean data has to reside in the same location. By separating apps from data, you can gain more flexibility over which data sovereignty rules apply. Just remember that cross-border reading or writing of data by applications could trigger varying data sovereignty requirements if it means moving data between jurisdictions with different rules.
Isolate cloud accounts
If you use public cloud environments to support your customers’ data management needs, consider creating separate accounts for each jurisdiction you are working with. Although separate accounts make it harder to integrate cloud resources and consistently manage cloud environments, it also reduces the risks of accidentally moving data from one region to another, which is a clear benefit from the perspective of data sovereignty.
Continuously monitor data regulations
Data privacy and compliance regulations are constantly changing as jurisdictions update existing rules and introduce new ones. As an MSP, be sure to follow news about data regulations in any jurisdictions that you need to support.
Respecting Data Sovereignty as an MSP
Managing data sovereignty is complicated enough for a single business that operates in multiple jurisdictions. But when you’re an MSP delivering managed data services for multiple clients, you face an even steeper set of challenges surrounding data sovereignty. Although there’s no one-size-fits-all way to mitigate those difficulties, there are a set of steps you can take — such as establishing data catalogs, isolating cloud accounts and separating data from apps where feasible — to simplify data sovereignty.
.jpg)
