Remember all the fuss about data sovereignty that came with the emergence of cloud computing? Many organizations were worried about the compliance consequences of hosting data in far-flung data centers.
Cloud service providers have since alleviated some of these concerns with initiatives such as building more data centers in more countries. However, the recent data-sharing trend and new privacy laws have put data sovereignty—the issue of which country has jurisdiction over data—back on the agenda for many enterprises.
This renewed concern is understandable given the variety of national laws and regulations governing how data is used, including where the information is stored. A dataset’s sovereignty is therefore vital.
Information will generally be subject to the laws of the nation in which it has been collected and stored. However the issue of data sovereignty is not always clear cut, particularly with respect to the complexity associated with data exchanges between organizations based in different countries or within a single organization with operations in multiple countries.
The Data Sovereignty Dilemma
Many enterprises understand the new business imperative to share data with other organizations so they can gain access to new data and insights.
However, businesses need to protect sensitive information such as customers’ personally identifiable information (PII). Ensuring this data remains secure and private in data exchanges is crucial at a time of high-profile data leaks such as Facebook’s Cambridge Analytica scandal.
In addition, data sharing can complicate compliance with privacy and other regulations, particularly in exchanges that cross national boundaries. For example, the European Union’s General Data Protection Regulation (GDPR) has specific rules for organizations that collect customer data in the EU and transfer it outside the region.
What You Need to Know
There are several factors all parties should consider with any data-sharing project—such as gaining customers’ consent before sharing their data and defining the permitted use of shared data.
For data exchanges with an organization that operates in another country, here are additional questions we would advise answering before starting the project:
- Where was the data collected that you’re about to share? Where is the data physically stored?
- Which nation has jurisdiction over the dataset you’re about to share? And what regulators and regulations govern the collection and use of that data? Consider the extra-territorial application of laws particularly in the US and EU.
- Does the dataset you’re about to share have sensitive data such as PII? Does that information need to be anonymized or otherwise protected in data exchanges under the regulations?
- What are the risks (such as reidentification of PII) of sharing the data? Should you consider taking further measures—beyond what’s required by regulations—to mitigate those risks?
- How and where will the data be exchanged?
- Where does the other organization operate? And where will that organization be storing and using the shared dataset?
- What, if any, new regulatory considerations need to be taken into account by virtue of the exchange? Do those considerations impact the original dataset?
- What security measures are in place for the exchange?
- After the exchange, will you have visibility and control over who accesses the shared dataset, and how and where it will be used?
The Data Governance Solution
Answering the first question—identifying where your data is located—is challenging enough for many large organizations. An extensive data audit may be a good one-off solution, although it’s not a feasible option for regular data exchanges.
Introducing a strong data governance framework, along with a data audit, will go a long way towards solving the data-sharing dilemma. But it won’t solve every issue. For example, you may not have visibility or control over the dataset after the exchange, making compliance with data regulations more difficult.
The most comprehensive solution is to have a holistic data strategy, including use of a data-exchange platform such as Data Republic, which has a strong built-in governance framework.
Data Republic’s governance framework has seven controls. These give businesses the ability to better manage the risk of sensitive information being disclosed while maximizing the utility of data.
Data Republic’s controls are particularly well suited to data exchanges between multiple organizations and within a single organization with multiple subsidiaries (including in different countries), because they can provide full visibility of and control over shared datasets. For example, the platform offers data auditing, allowing an organization to track who accessed its dataset and how it was used.
Securing the Data Exchange
Data Republic’s platform offers a range of features and private-by-design infrastructure to manage data sovereignty when running a data collaboration project. Security features ensure data collaboration projects are governed correctly.
Some features include:
- Audit logs of all interactions with data sets on the platform
- Access and user permissions on a project basis
- Governance checks on outputs ensure that data collaboration projects adhere to the license terms
Datasets are not allowed to be extracted from the platform without explicit permission. Analysts access the shared datasets on platform in a virtual machine and are able to only extract the insight from the analysis. This feature does not ensure compliance to all data sovereignty laws, but it does reduce the risks of data exchanges across jurisdictions.
Data Republic’s Matching service integrates with the platform to provide a secure platform that can accurately match anonymized datasets from two or more organizations. Data Republic protects sensitive data in several ways. For example, PII is salted, hashed, ‘sliced’, and decentralized. So, unlike most data exchange techniques, Data Republic ensures there’s no tempting target—or ‘honeypot’—for hackers seeking to steal data.
Customer personally identifiable information (PII) is uploaded to a Contributor Node behind your organizations firewall, and goes through a process of tokenization, salting, hashing and slicing, before a matching project is launched. Raw PII is never exchanged, which means data matching projects are compliant with privacy regulations in specific regions around the world. With PII removed, the risk to re-identification is significantly reduced while still enabling data matching to occur.
Cutting Through the Red Tape
Finally, there’s the challenge of setting up a legal agreement for international data exchanges. This can take months or even years of sorting out issues such as intellectual property and the complexities of privacy laws and other regulations in multiple jurisdictions.
To help organizations cut through this red tape, Data Republic offers a flexible legal framework. Our rich experience with data-sharing arrangements has enabled us to simplify the legal process with options such as a ready-made agreement. However, the framework is highly modular and can be customized by the participating organizations.
As a result, creating a new data-sharing arrangement often takes less than a month—and it’s highly repeatable.
Using this framework and Data Republic’s other tools, a business can rapidly scale its data-sharing initiatives. It can become an agile, data-driven enterprise while remaining compliant with all relevant regulations—no matter where the data comes from.
The Data Sovereignty Challenge
The challenge that data sovereignty presents businesses is not something that can be easily solved. There may need to be a shift in laws by governments and regulatory bodies to ensure the value of data can be utilized across regional borders, while still protecting the rights and privacy of people around the world. The questions in this article are a starting point for understanding the challenges of data sovereignty. As always, ensuring compliance to law and privacy for customers is of paramount importance. Secure technology and data governance framework can help businesses navigate data sovereignty while still getting value from shared datasets.