Borderless Data vs. Data Sovereignty: Can They Co-Exist?

Organizations that remain compliant with data-sovereignty regulations while enabling cross-border data sharing gain significant competitive advantage because they can make quick, agile, and informed decisions.

5 Min Read
Numbers floating on a digital background
Source: marcos alvarado via Alamy Stock Photo

Since the dawn of the digital age, businesses have worked under the assumption that data is like water. It is the source of nourishment for business operations. It's been free-flowing – with little to no limitations on how it's collected, stored, processed, and moved. But today, that tap has been turned off, rivers rerouted, and dams created by privacy regulations blocking an essential business element.

Companies have built global businesses by sharing data, and decades of globalization are being reversed by privacy regulations. In the wake of data privacy's growing momentum through data sovereignty laws, they must now learn how to deliver the same level of customer service, meet delivery deadlines, and communicate across supply chains while remaining compliant. This leaves organizations needing to balance seemingly opposing goals: advancing business with data sharing, artificial intelligence (AI), and machine learning, while maintaining compliance.

May 2023 marked the fifth anniversary of the first (and arguably most comprehensive) data privacy law — the European Union General Data Protection Regulation (GDPR). Over 130 similar laws have passed since, with many more on the horizon. For example, Canada's Digital Charter Implementation Act, India's Digital Personal Data Protection (DPDP) bill, the Colorado Privacy Act (CPA), and the Utah Consumer Privacy Act (UCPA) go into effect this year. While consumers hail the laws' protections, organizations accustomed to collecting, using, and sharing data across borders struggle to balance compliance with meeting business needs.

Compliance Challenges

Businesses have long understood that data sharing has limits (or borders). Legal separations keep data from various subsidiaries distinct or limit sharing between partners to specific data types. Multi-tenant software applications often require logical partitions to keep customer data private. What is rapidly changing are new data sovereignty laws, often cloaked as "data privacy" regulations, that enforce geographic boundaries on where data is processed and stored. Businesses must comply with the laws of each country where they operate, and data sovereignty presents a clear compliance challenge as companies hurry to rethink how and where they safely acquire personal data to share and protect.

Countries enacting regulations keeping personal data inside their borders may deem their citizens' data of strategic national importance. More commonly, it's an enforcement mechanism that acknowledges personal data as an asset owned by individuals that businesses must use and share according to that country's laws. Recent data sovereignty requirements cannot be easily bypassed or pushed to the consumer's consent. They must be followed, making adhering to those policies while conducting business a significant challenge. Companies operating on a global scale need to move and process sensitive data across complex legal, corporate, geopolitical, and regulatory boundaries. Data localization puts their cloud strategies at risk.

The Cost of Doing Business Across Borders

Organizations face significant costs due to operating under data sovereignty laws. The most expensive is duplication of technology, people, or resources to meet sovereignty requirements. To comply with regulations, businesses often duplicate internal resources across regions or countries, ensuring data remains within its original jurisdiction. However, failing to take active measures to protect personal data can result in hefty fines.

Recently, the European Court of Justice imposed a $1.3 billion fine on US-based Meta for not adequately protecting EU citizens' personal data. Meta used "standard contractual clauses," a common technique that relies on contract language as an obligation rather than technical controls. However, the court found this approach to be insufficient for GDPR compliance. Therefore, robust data protection mechanisms are essential for companies to avoid costly fines and safeguard customer data.

Using expensive third-party data processors for localization requirements is another issue. While this diminishes compliance risks, it increases security risks due to sharing data with another party. Legacy technologies, including dynamic data masking, access control lists, and file-based protection methods, were not built to tackle today's compliance requirements.

Community and national leaders may argue that the extra costs to comply with sovereignty laws are the price of doing business. But for many, those costs could be too high.

Solutions for Reintegrating Borderless Data

As the Information Technology and Innovation Foundation states, "Data is the lifeblood of the modern global economy….Businesses use data to create value, and many can only maximize that value when data can flow freely across borders." However, for borderless data and data sovereignty to coexist, businesses must find compliant ways to enable cross-border data sharing. That's where tokenization comes in.

By tokenizing data, businesses can secure it while allowing different users and companies to access it, all while maintaining compliance with local regulations. An important ruling by the General Court of the European Union in April highlights the relevance of this issue. In GCEU Court Case T-557/20, SRB v EDPS, the court held that pseudonymized data transmitted to a data recipient would not be considered personal data if the data recipient does not possess the legal means to reidentify the data subject. This ruling has significant implications for companies with transborder data flows, making finding compliant ways to enable cross-border data sharing even more critical.

In a broader sense, for companies to achieve efficient global compliance, they need centralized data policy, logging, auditing, and monitoring that deliver efficiencies at scale to meet data sovereignty requirements for applications. Automated systems that offer centralized, continuous protection, audit, and compliance for personally identifiable information (PII) will reduce compliance costs and open new opportunities for businesses to compete on data. By federating the implementation of data security and privacy to more abundant resources, organizations can reduce costs.

Policy and Commerce Can Co-Exist

Data sovereignty laws constantly change as technology and digital trends evolve. Therefore, organizations can't fall back on a "one-and-done" approach to compliance. It's essential to continually monitor and adjust to changing laws. Organizations that remain compliant while enabling borderless data gain a significant competitive advantage because they can make quick, agile, and informed decisions about customers and products in existing markets. In addition, the ability to share data across new regions opens new markets worldwide.

Ultimately, by complying with privacy and security regulations, organizations can protect customer data, build trust, and enhance their reputation, leading to increased customer loyalty. Loyalty equals revenue, and revenue equals long-term success.

About the Author(s)

Jessica Gulick

US Cyber Games Commissioner

Jessica Gulick is Commissioner of the US Cyber Games, a multi-phased cybersecurity program recruiting the US Cyber Team; CEO of Katzcy, a woman-owned growth strategy and marketing firm; and, founder of PlayCyber, a new business line promoting cyber games and tournaments. An MBA, CISSP and PMP, Gulick is a 20-year veteran in the cybersecurity industry with proven experience in starting businesses, leading cross-functional cyber teams, co-authoring NIST Special Publications, capturing commercial and government business and running epic cybersecurity games and tournaments. She is passionate about cybersecurity as an esport where players, fans, and companies can collaborate, and strongly advocates for diversity in the workforce. She is also the president of the board at the Women's Society of Cyberjutsu and a member of the Bay Path University Cybersecurity Education Advisory Council.

Nathan Vega

Vice President, Product Marketing & Strategy, Protegrity

Nathan Vega has spent his career defining, building, and delivering cybersecurity products to market. He is passionate about collaboration that builds and engages communities of practice inside and outside of InfoSec. Vega brings deep experience and expertise in data security and analytics, regularly providing thought leadership on data privacy, precision data protection, data sovereignty, compliance, and other critical industry issues. Before Protegrity, Vega worked at IBM, where he brought Watson to market as a tool set of Cloud APIs. He holds a bachelor of science in computer science and an MBA.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights