Is data sovereignty a concern in your cloud system?
As cloud technology is able to expand across country borders, the issue of how to navigate different levels of data sovereignty becomes key.
The concept of data sovereignty is multifaceted and complex, though the base definition is rather simple. As the Cyber Law Centre for the University of New South Wales put it, data sovereignty is the idea that information is subject to the rules of the country in which it presides. Depending on the location, the local jurisdiction may have its own policies regarding the coverage, retention and destruction of data that differs from the country of origin.
With the introduction of cloud software, data sovereignty became a much more contentious issue. De Filippi and McCarthy explained that many businesses are reluctant to use the system as they perceive that they will be unable to maintain control over what they post in a paper for the European Journal for Law and Technology.
Indeed, the uncertainty of which laws apply to data in the cloud can be a major issue. The location of the server may be at an offshore site, according to OneNet President Dr Michael Snowden. For peace of mind, he emphasised that businesses should be aware of exactly where the data is located, particularly for sensitive areas like recruitment software. Once this is known, businesses can find out the regulations of the country and how they can stay compliant.
How can your business stay on top of regulations?
When it comes to operating in Australia, the government has taken action to protect the ownership of business data. The Department of Defence has recently provided the guidelines for an IRAP assessment, which outlines the auditing process to ensure third party servers are secure in a number of areas, including data sovereignty issues.
The process takes part in two stages: the identification of the issue and the steps needed to ensure compliance. First, a certified assessor will take a look at the security systems in a company to gain an overall understanding of how it works. Then the assessor will test the security components in accordance to government guidelines before finally making recommendations and deciding if the system has earned a compliance certificate.
If you want to bypass this process, it may be wise to chose a productivity solution that has data sovereignty protection already implemented. However, having a basic knowledge of the IRAP requirements will enable you to ask the right questions of your software provider.