Data sovereignty is the concept that information in binary digital form is subject to the laws of the country in which it is located. And in the UAE, data sovereignty laws, regulations and standards dictate that all sensitive data, whether it be government, financial, medical, or personal, should not be hosted elsewhere.Today, though, it is noted that the very nature of cloud technology is continuously changing. Establishing data sovereignty to meet national regulations is more complex, and the onus is on organisations themselves to secure their IT cloud operations. This entails overcoming cloud adoption barriers, and addressing data breaches and technology lag.
Looking ahead, UAE companies need to acknowledge the importance of a comprehensive approach as they aim to establish a cloud risk management framework and balance potential rewards and uncertain losses. Inadequate evaluation of associated risks and speculative considerations of risk mitigation processes does represent a challenge that must be surpassed. However, the following three-phase approach can guide organisations as they implement a robust data sovereignty network:
Understanding the legislation roadmapUAE organisations should be aware of global standards and the regulatory environment in which they operate. Being fully educated concerning UAE federal laws, particularly laws concerning credit information and health data protection, is a priority. Furthermore, every entity must adhere to the regulatory framework for stored values and electronic payment systems issued by the UAE Central Bank in 2017, as well as the country’s free zone laws – including Dubai data law and the data protection regulations enacted by DIFC (Dubai International Financial Centre), ADGM (Abu Dhabi Global Market), and DHCC (Dubai Healthcare City) Authority.
Implementing an information governance model where actions and policies are initiated at the highest level represents the second phase. This includes adopting a data compliance program through an integrated strategy involving various cybersecurity initiatives. Data that organisations are responsible for securing in accordance with regulatory requirements must be identified. At the same time, companies must manage how they utilise this data as an asset and drive data sovereignty across the data lifecycle. Data lifecycle is perhaps best defined in six stages – creation, storage, usage, sharing, archival, and destruction. At the outset of compliance program development, organisations should carry out an extensive data mapping procedure, and calibrate necessary levels of controls that will require robustness throughout this process. They will also need to ensure current data management processes align with Information Security and Data Privacy Organisation Structure, defining updated roles and responsibilities to support the compliance framework.
Establishing an information governance reference frameworkThe final phase fundamental to a competent data sovereignty program entails organisations establishing that they are indeed compliant with laws and regulations. Adopting a data privacy program, regularly administering standard data privacy training and awareness programs for senior management and all employees exposed to sensitive data, and overseeing data privacy audits to point out weaknesses and develop a reliable risk mitigation process are all viable avenues. Moreover, employing staff that specialise in data privacy principles and technical data management framework differences, such as data migration, data backup, and data restoration, is also greatly encouraged. This will ensure data confidentiality, integrity, and completeness.
Sovereign cloud services are a necessity for UAE organisations, with many now overhauling their IT strategies to include cloud as part of their technology ecosystem. When executed correctly, the above phases can guide companies in achieving their data sovereignty aspirations. Besides enhancing security, safeguarding business continuity, lowering operational costs, and upskilling personnel, the value of copious amounts of public sector data can deliver influential impacts internally and externally. The benefits stemming from a secure public cloud are well within the realm of possibility for every organisation. The sooner a robust data sovereignty network is established, the quicker insights and innovation will drive sustainable change.