image not found image not found
image not found
image not found

Data Sovereignty: Meeting Data Sovereignty challenges while migrating to the Cloud

06 June 2020 | Guruprasad Muralidharan

The unprecedented disruption caused by COVID-19 has had an economic impact on many Small and Medium Enterprise (SME) as well as the larger homegrown enterprises that are the backbone of the UAE economy. In their bid to maintain business continuity, support the work from home restrictions, and reduce the cost of operations, many organisations are actively evaluating their IT strategies to include Cloud as part of their technology landscape.

In a recent report in CIO magazine, overall IT spending in the Middle East and North Africa is expected to decline by 6%. Still, long term digital transformation projects involving Cloud computing, are expected to exceed Gartner's Cloud spending 2023-2024 spending estimates by as early as 2022. As the global nature of cloud technology continues to evolve, the challenge in establishing data sovereignty to meet national & regional federal regulations become more complex.

While Cloud Service Providers offer different architectural models (hybrid, public, and private), it remains imperative in understanding and addressing the legislation applicable to other parties involved. Regardless of the model, organisations must consider the legal complexities and issues related to how they collect, store, process, and ultimately destroy data. Furthermore, while Cloud Service Providers are offering increasingly robust security measures, it should be noted that organisations are ultimately responsible for securing their IT operations on the Cloud.

Key Challenges

The road to establishing a robust compliance framework towards long term data sovereignty faces multiple hurdles. Some of the key challenges include:

Barriers to Cloud Adoption: In the recently published 2019 Cloud Security Report1 , the survey results indicated that the top cloud security challenges remain data loss (64%) and data privacy (62%), followed by data compliance concerns (39%) and concerns about accidental exposure of credentials (39%). Further findings in the report indicate that the critical inhibitors to cloud adoption hence remain concerns of Data Security, loss & leakage (29%), and Legal and Compliance (26%).

Cost of Data Breach: In a recent report published by IBMSecurity2 , of the 26 factors contributing to the cost of a data breach, the five that contributed the most were third party involvement, compliance failure, extensive cloud migration, system complexities, and operational technology(OT).

Technology/ regulator lag: As we see the need for nationalism, as in "one soil" requirement starting to become much more prevalent, the ability to reach those countries where data is stored and allow persistence to occur regionally needs to become more demonstrable to regulators. This factor has been highlighted as one of the top 5 risks in Q32019 by Garter3 . The adoption of such a requirement is a double-edged sword. While all organisations are keen to ensure compliance with the regulatory requirements, proving the same from a technical perspective is difficult. In particular, when sensitive data is allowed to flow through a Cloud application (i.e., operating through an alternate non-local DR site), it could become a deviation from the defined and expected regulatory framework.

Approach to establishing a robust Data Sovereignty framework:

As each organisation develops a cloud risk management framework balancing potential rewards against uncertain losses, the challenge stems from an inadequate comprehension of the different kinds of risk and of the imperfect consideration of the different outlook with which people adopt risk mitigation. Hence, the following three-pronged approach could guide organisations in establishing a robust data sovereignty framework.

Phase I: Understanding the legislation roadmap

The first phase towards establishing a robust compliance roadmap would require organisations operating in UAE and in the broader Middle East to be aware of the various regulation applicable in the region (Table 1).

Country Regulations & Global standard*
UAE
  • UAE Federal Laws
  • Credit Information Law (Federal Law No 6 of 2010) and the Cabinet Regulations No 16 of 2014 (the Regulations)4
  • Federal Law No 2 of 2019 (Health Data Law)5
  • Central Bank issued Digital Payment Regulation (2017)
UAE
    UAE State/ Free zone Laws
  • Dubai Data Law
  • DIFC Data Protection Regulation (consolidated version No 3, 2018)
  • ADGM Data Protection (Amendment) Regulations 2018
  • DHCC Health Data Protection Regulations No 7 of 2013
Saudi Arabia
  • Shari'a principles
  • SAMA Regulations
  • Upcoming
  • Freedom of Information and Protection of Private Data Law6
Kuwait
  • Law No. 20 of 2014 (the E-Commerce Law)
Oman
  • Royal Decree 101/1996 (Article 30)
  • Royal Decree 97/1999 (Article 90)
  • Royal Decree 69/2008 (ETL)
Egypt
  • Egyptian Banking Law no. 88/2003
  • Article 57 of the Egyptian Constitution
Bahrain
  • Consumer Protection Law (Law No. 35 of 2012)7
  • Personal Data Protection (Law No. 30 of 2018)
Qatar Federal
  • Law No. (13) of 2016 (Data Protection Law)
  • Free Zone
  • QFC Data Protection Regulations (DPL)
Global
  • NIST PRIVACY FRAMEWORK: A tool for improving privacy through enterprise risk management
  • NIST SP 800-53
  • HIPPA
  • ISO 27001:2013
  • ISO/IEC 27002: 2013
  • ISO/IEC 27017:2015
  • SOC1, SOC2, SOC3
  • PCI DSS
At the time of this blog publication, the author was aware of the above regulations published by regional regulators

Phase II: Compliance framework

The second phase towards establishing a robust compliance framework would be to institute a top-down Information Governance model. This model involves establishing a data privacy compliance program, an integrated approach with Information/ Cybersecurity initiatives.

The privacy by design concept begins with determining the 'crown jewels,' the data that the respective regulators require organisations to identify and protect. The "compliance by design" concept is where organisations need to control on how they handle data as an asset and establish a context of data sovereignty

As per Securosis8 , the lifecycle of data can be divided into six phases, from creation to destruction. These include creation, storage, usage, sharing, archival, and destruction. Hence, as a prelude to developing a compliance program, organisations will require performing a vast data mapping and a comprehensive inventory process. From a business point of view, organisations must calibrate their appropriate levels of privacy that will call for sustenance throughout this data lifecycle.

In addition to the above, the approach will call for the organisations to perform a "deep dive" assessment on the current data management processes to align with Information Security and Data Privacy Organisation Structure by defining updated roles and responsibilities that would aim to support the compliance framework. Such a structuring would include establishing a comprehensive vendor governance program that maps the data flow not limiting to the organisation but extending to encompass information exchange, performed as part of business delivery.

Phase III: Establishing an Information Governance reference framework

The final phase in establishing compliance by design program would be to assess whether the organisation is indeed compliant with the regulations. This could involve establishing a Data Privacy Framework, conducting periodic compulsory Data Privacy Training & Awareness Programs for senior management and personnel handling sensitive data, and conducting Data Privacy Audits to identify gaps and develop a robust risk mitigation process. It is also critical that the staff responsible are trained and skilled at both the Data Privacy principles as well as on the technical nuances of data management framework including data migration, data backup and data restoration to and from Cloud to ensure data confidentiality, integrity and completeness.

Conclusion

The backbone of a successful privacy design framework is often a well-calculated economic trade-off. Hence when handling sensitive data sets, organisations should adopt rigorous definitions of privacy in which residual risks are quantified and well understood. The reduction in the cost of storing and manipulating consumer-centric information has led organisations to capture increasing amounts of social media data. New trade-offs must establish data sovereignty in which quantitative and qualitative risk assessment leveraging on data privacy compliance framework, especially those concerning the migration of data to the Cloud, are linked closely with privacy, technology, and their economics.

1 (Cloud Security Report, 2019)
2 (Cost of a Data Breach Report, 2019)
3 (Digitalization Misconceptions Threaten Organizations as the Top Emerging Risk in 3Q19, 2019)
4 (Information security and Data Protection Laws in GCC, n.d.)
5 (Healthcare data protection in the UAE, n.d.)
6 (Saudi Arabia: Data Privacy Landscape, n.d.)
7 (Consumer Protection Law., n.d.)
8 (Data Security Lifecycle, 2011)

We Are Digital14

Connect with us

© Digital14. All rights reserved.