Data Sovereignty in the Cloud

Topics in this article

The requirement to comply with data protection and privacy laws, like the EU’s General Data Protection Regulation (GDRP) and Australia’s privacy laws, drive the need to evaluate where enterprise organizations are storing their data in cloud data centers. If your organization hosts your own data centers, this can be challenging if you are multinational, but it can be just as difficult when you rely on SaaS providers to manage your data since the control of your data destination is a bit out of your hands.


If you’re using a SaaS application, such as Office 365 or Salesforce, and are backing up your data with a third-party backup provider, there are many factors to consider as you evaluate your data protection strategy. Understanding the regulations and requirements first and then considering how the providers handle your data are both important.

What privacy laws apply to my organization?
As you build a cloud and data protection strategy, start by evaluating the privacy laws that apply to your data and corporate policies, and compare that against your SaaS provider’s offering, including the primary data storage location and their replication strategy.

My strong suggestion is that you work directly with your audit, compliance and legal teams to ensure you fully understand the regulations that could be applied to you directly or indirectly through business relationships with organizations in other regions.

Generally, global privacy and data protection laws provide strong frameworks and mechanisms to transfer personal data to other countries and economic regions if required, but the regulations are typically strict and the penalties can be costly. As a result, many organizations decide to enforce data governance policies that ensure data remains within defined boundaries.

Below are a few examples of data privacy laws that may apply to your organization:

  • Europe:
    • EU Privacy Shield – On July 12, 2016, the European Commission adopted the EU-US Privacy Shield (the “Privacy Shield”), the new framework for transatlantic exchanges of personal data replacing the Safe Harbour agreement.
    • EU Data Protection Directive and Proposed GDRP – Under the Data Protection Directive, personal data must not be transferred to a recipient outside the EEA unless such a recipient is located in a country which is regarded to provide an “adequate” level of protection.
  • Australia:
    • Australian Privacy Principles – Require the recipient of the information to be subject to a law that is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and the disclosure of the information is required or authorized by or under an Australian law.
  • Canada:
    • PIPEDA – Principle 1 states, “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing who must deliver a comparable level of protection.”
  • United States:
    • FISMA – US Governmental implementation of information security policies for non-national security federal Executive Branch systems, including data governance.
    • HIPAA – Regulates the privacy of protected health information (PHI) and requires business authority agreements between organizations.

For additional regional privacy and data protection laws, take a look at this comprehensive interactive online resource from DLA Piper.

How do I ensure my SaaS data location and protection complies with applicable laws?
Ask and then verify. As you evaluate a SaaS vendor, be sure to understand your options for where you data is processed, stored, replicated and archived. Vendors will offer a variety of options related to data privacy, and often, there will be varying options for specific services.

For example, if your organization is located in Canada, and you use Microsoft Office 365 services, Exchange Online, SharePoint Online and Skype for Business will be delivered from within Canadian data centers, but Azure Active Directory, Sway, Planner and Yammer will be delivered from the United States.

Here are the data location sites for Office 365, Salesforce, Google Apps for Work, and Spanning Backup:

  • Microsoft Office 365Data Center Map
  • Salesforce – Here is a list of primary data centers, and the corresponding secondary data centers.
  • Google Apps for Work – Google services employ a resiliency and redundancy strategy that replicates data across their global data centers.
  • Spanning Backup – Offers SaaS backup and recovery for Salesforce and Office 365 from US and EU-based data centers, and backup and recovery for Google Apps from the US.

In addition to identifying the location of your data, you should also verify that your SaaS provider possesses the certifications and declared controls required for your region and industry. At a minimum, ensure your provider holds an SSAE SOC 2 certification report and then evaluate if there are other regional or industry specific requirements like HIPAA/HITECH or FERPA.

Whether you’ve already made the move to a SaaS application, or are planning to make the move, be sure to consider the data protection and privacy implications of your decisions. Look for vendors who can help empower your business while also protecting your data is in accordance with your organizational and regional requirements.


Sources for inspiration and content:

About the Author: Mat Hamlin

Topics in this article