Contact

Data sovereignty, Data security and Data location

2–3 minutes

by Mark Bollingh

While there are a lot of conversations going on regarding AI, data and security, it’s noticeable that there is some confusion around data sovereignty, data location and data security. The objective of this article is to provide a short summary and key differences between the three different items.

what is data location?

Data location is about the geographical, physical, or logical location where the data is stored. This could be within a specific data center, cloud region, or even across multiple geographical locations. Therefore, knowledge of the local laws and regulations is important during the selection or creation of a data center.

what is data sovereignty?

Data sovereignty refers to the legal and regulatory controls of the country where the data is located, as well as possible data protection standards that must be applied to the data. In the case of data generated in Europe, it is subject to GDPR and NIS2. Possibly other local legislation is relevant as well, like retention times on certain document types before disposal is permitted (ex. Keeping invoices for 7 years). Therefore, during application design it is imperative to define and classify the different information types in use by the application. This way, you can ensure that the proper data location and security can be applied.

what is data security?

Data security

  • The creation of several security policies, including data backup and restoration, and disaster recovery policies to safeguard data. It is highly recommended to include hardware components like firewalls, access points, and smart switches in the scope of the security policies. Hardware is often overlooked as a possible intrusion point. However, physical components are equal risks for data corruption, or the rerouting of sensitive data out of the organization.
  • The creation and implementation of a security responsibility assignment matrix, better known as RACI matrix. The matrix aims to avoid unauthorized access to non-public data. During the development of the RACI matrix, it’s imperative to question every type of access and who requires access under which circumstance.
  • The creation and implementation of audit reports, proving the compliance with internal and external regulations. Audit action should result in reports that can confirm compliance with internal management, as well as internal and external oversight.

These three concepts, data location, sovereignty, and security are strongly interconnected. The location of data can affect sovereignty, and the protection measures in place are critical regardless of where the data is stored.

For more information, please contact us at hello@privatum.be.