Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
What CEOs need to know about data sovereignty and data security
In the wake of an increasingly globalised digital economy, governments around the world are raising concerns about data jurisdictions and data privacy.
Many governments have mandated even stricter data privacy laws and data sovereignty practices, a recent example of which is the European GDPR standards.
There are also new national data sovereignty models emerging, like Estonia’s Data Embassy model, which is essentially an Estonian data centre located on foreign soil. Any data or resources in the Data Embassy remain under Estonian state control and jurisdiction.
This shift has huge implications for businesses residing in these countries, requiring them to navigate new rules and restrictions on how they collect, process, share and secure data, especially if they operate on a decentralised, multinational structure or work closely with overseas partners or vendors.
Closer to home, many CEOs and executives are struggling to navigate the constantly changing and sometimes ambiguous legal landscape of data security, especially if their organisation doesn’t fall under a regulated industry which tend to have clearer data privacy and security laws.
The penalties for failing to comply with these regulations can be severe, which is why boards and executives are scrutinising their data practices, and the practices of their business partners, much more closely.
Let’s dive into what CEOs and executives can do to ensure their organisation doesn’t end up on the wrong side of the data sovereignty and security debate.
Understanding how data sovereignty laws apply to your organisation
Under current data sovereignty laws, governments require companies to keep their data within their country’s physical borders. Most of these laws focus on personal data, but some jurisdictions also include geolocation and other data. This legal landscape can be tricky to navigate, especially since most companies today rely on a number of external third-party services, some of which may be located overseas.
Australian Privacy Principles (APPs) have created rules for handling data sovereignty to ensure that organisations operating in Australia handle personal data responsibly. When an entity like say, a cloud services provider, discloses personal information to an overseas recipient, the entity is expected to take “reasonable steps” to make sure APP rules are followed.
Traditionally, data sovereignty and data protection would fall under the remit of the IT department, while procurement for cloud services sat squarely in the CIO’s domain. But given the pervasiveness of data-driven processes in modern business environments, data jurisdiction is a business policy issue that needs oversight from the executive board. After all, boards and directors are ultimately responsible for reputational risk, and if something goes wrong, they’ll be the ones in the line of fire from customers and regulatory bodies.
The first question executives need to ask is: “How do we collect, store and process data?” Finding the answer usually involves identifying third-parties like cloud hosting providers and digging into their data practices. Even if your organisation is simply using web-based apps or industry-standard email services, it's important to do a data audit and find out who else your data is being shared with. For example, when Office365 first launched in Australia, it was only available out of Singapore. At the time, that meant that Australian data would technically reside on foreign servers, which raised a host of data privacy concerns.
This line of enquiry can be uncomfortable, but it’s better to identify any potential risks internally before a data breach exposes a lack of due diligence.
Review the data policies of your key service providers
Most modern organisations in Australia rely on an ecosystem of third-party services, contractors, vendors and providers to handle various functions. Even though they are independent entities, they are still privy to your organisation’s data. Depending on their function, they may have access to information about your clients, customers, contracts, marketing plans, or financials.
What are their data policies when it comes to handling your organisation’s data? For example, you may rely on your marketing agency to run social media campaigns by collecting and processing data and creating publishable information. Are their data practices in line with your company’s polices? Do they use any platforms or services that may send your organisation’s data overseas? This is one way your customer data could end up in locations that you are not aware of.
Adopt risk assessment measures for third-party services
Wise directors will introduce a formal third-party risk assessment process for any service provider that intends to work with their organisation. This assessment could cover questions like:
What are their cybersecurity measures and policies? For example, do they require staff to sign NDAs, or conduct background checks?
Do they use a Managed Service Provider? What are their MSP’s policies around data privacy?
What technologies are in place to protect data? This is a great way to assess their maturity level and ensuring their users don’t share user accounts, have unique logins, restrictions and controls in place.
Do they have a mandatory data breach notification scheme? What is their process on notifying breaches, responsibilities and timeframes?
What level of data access would they require?
Naturally, these aren’t easy conversations to have. And depending on your tolerance for risk, you might be willing to accept a less-than-perfect assessment if the benefits outweigh the risks. But the key thing is to make an informed decision - you need to know exactly who you are working with, and whether you can trust them. In a worst case scenario of a data breach, it’s essential that you be able to demonstrate that you have done your due diligence and that you have assessed any potential risks or liabilities.
Dealing with cyber risks and data sovereignty rules is now just the cost of doing business. We live and work in an interdependent digital economy and some degree of risk is inevitable. But by thoroughly vetting your own processes and the processes of your business partners, you can greatly mitigate that risk. Safeguarding your data and your customer’s data is not just your IT department’s responsibility, but an executive responsibility, and leaders need to be proactive in shaping how their organisation handles one of its most important assets – its data.