14 September 2021

Mastering ‘Data Sovereignty’ in a Borderless World 

By Jeff Arndt, Chief Information Officer

Data sovereignty is complex and heavily regulated. From the life raft floating on an ocean of regulatory and compliance red tape, CIOs need the least complicated solutions to the trials and tribulations of keeping Australian data in Australia. 

As organisations focus on scaling and optimising their Hybrid environments, as well as enabling the business with flexibility and scalability embedded as core foundations, CIOs are met with daily challenges around ‘clear and present’ dangers associated with data sovereignty compliance.

Where to start?

As an IT discipline, data sovereignty – the jurisdictional control or legal authority that can be asserted over the physical location of data within territorial boundaries – is multi-faceted. It raises many questions, crosses multiple boundaries in the digital supply chain and necessitates the support of strategic partnerships to achieve compliance quickly and easily.

Fundamentally, all organisations are mandated to keep Australia's data within Australia and in the hands of its own people, governments and industry. For this to happen, the data needs to be housed in data centres physically located in Australia (data residency), and only be accessible by Australian people and businesses.

Guiding principles

Data volumes are surging, digital supply chains have become globalised and cyber threats are more sophisticated and omnipresent. For these reasons, regulatory compliance, and jurisdiction (which determines where data must be located) is an ever-expanding and evergreen burden on CIOs.

There’s a lot at stake after all. If anything, it’s both a security issue and a destabilising business threat with serious ramifications for non-compliance.

Certainly, data sovereignty is a timely discussion. Australia’s Digital Transformation Agency (DTA) has been very vocal recently, defining measures that will ensure the Commonwealth’s sovereign data is kept secure and onshore.

As part of a new ‘Hosting Strategy’, the Commonwealth has levelled up its mandate around how sensitive Government data is secured. It has taken a bold and decisive move to ensure organisations who provide hosting services to Government can clearly demonstrate they comply with the new requirements, as set out in their new certification model as part of the Hosting Framework.

This isn’t something that’s going away. In fact, ensuring the compounding volumes of data are secured and meet sovereignty laws is an escalating problem – one that will continue to amplify as organisations accelerate their cloud migration and transformation priorities.

Three-point plan

We’re living and operating in a borderless world – where data, IT environments and digital supply chains are distributed – and there’s constant risk to plan for and mitigate.

Given the risky backdrop, what can CIOs do to mitigate the risk?

1. Build a Data Framework

Firstly, I recommend considering; where data is stored, where it’s processed/transacted, who has access to it, and how it’s secured in motion.

A good starting point is to understand from end-to-end ‘data in storage’ and ‘data in flight’ – and to weave all of that intelligence into a data framework that can properly classify ‘data at rest’ versus ‘data in motion’.

Leaders should aim to map out a data framework that investigates and understands:

  • Where data is stored and what laws in other jurisdictions can be applied to it
  • How the data is processed or transacted
  • How the data complies to standards like ISO, SOC, SCEC, PCI DSS, or other industry requirements.

2. Partner Strategically

The challenge of data sovereignty is too great to go it alone when the focus should be on cloud migration and other transformational priorities such as innovation, growth and building infrastructure resilience.

Achieving compliance and easier data management up and down all digital supply chains are specialist skills not always readily available in-house. So, it’s unrealistic to expect your already-burdened dev, test, provision and improvement teams to take on the heavy lifting of this additional load.

The shortest route to meeting data sovereignty compliance, starts with engaging specialist partners who truly understand and can demonstrate the integrity of your hybridised infrastructure and interconnected architecture.

3. ‘Certified Strategic’

Look for a data centre partner that’s ‘Certified Strategic’ under the DTA’s hosting certification framework. While this program applies specifically to Government procurement, it categorically highlights the data centres, and their facilities certified under the framework that have passed the highest stress test and level of audit scrutiny. Amongst other things, it guarantees that data housed there complies with the Australian Privacy Principles (APPs) determined by the Office of the Australian Information Commissioner (OAIC).

Colocating in DTA ’Certified Strategic’ data centres introduces immediate security and data sovereignty advantages. It ensures you and your customers’ data is safely held and interconnected only within facilities, platforms and availability zones that meet minimum standards acceptable by the Commonwealth to keep their sovereign data protected.

Getting behind the safety barrier

You can’t board the plane unless you go through the security door. A similar analogy applies to data sovereignty: You can’t safely meet data sovereignty obligations if you’re not actively seeking onshore infrastructure and cloud zones, or you can’t ensure all auditable data location requirements are met.

NEXTDC is where the cloud lives in Australia and it’s where digital organisations and the services ecosystem they engage, interconnect. We partner with you to help streamline data sovereignty, and make it easier to maintain a strong risk and compliance posture.

Reach out if our specialists can help you build the right controls and processes that ensure you have full control over keeping your sovereign information wholly within Australian-based Hybrid/Multi-Cloud infrastructure.