Navigating the maze of data sovereignty laws can be intimidating, organizations should not let this deter them from making the move if companies do their due diligence.

Guest Commentary, Guest Commentary

April 17, 2017

4 Min Read
Allan Leinwand, ServiceNow

In the beginning, the cloud was somewhat of a mystery.  This seemingly magical technology has transformed the way many organizations operate, and companies around the world are taking advantage of all that the cloud has to offer.  Yet despite the implications of its name, the cloud is a very physical and hardware-centric technology. With this physicality comes a unique set of challenges, particularly in regards to data sovereignty.

Companies eager to migrate to the cloud are finding that the question of where their data will reside is not as simple as it used to be.  In the past, the idea of letting data, especially sensitive information, outside of its walls was out of the question.  Now, with data stored in the cloud, companies are faced with local data regulations and maintaining cross-border data and compliance. The rapid adoption of cloud-based technologies and expansion of cloud service providers across the globe is making the physical aspect of the cloud a much bigger issue for companies migrating to the cloud.  Adding to the confusion is that there is no standard set of rules or requirements when it comes to privacy and data hosting.  This means companies are subject to their state or country’s data sovereignty laws which vary from place to place.

Even with the technical and legal challenges of moving on-premises systems and information stores to the cloud, companies recognize the many benefits the cloud has to offer and are moving forward.  To avoid the headaches of complying with data sovereignty, companies need to know the location of their data, do their homework, and put transparency above all else.

Location is key

Because data sovereignty laws vary from region to region, companies need to identify a provider with data centers that comply with all applicable data sovereignty laws.  The locations of their data centers are key to this process as well as the provider’s agility and flexibility in regards to the physical location of the data.  If a provider does not have a large enough network they may not be able to ensure complete compliance with data sovereignty.

 Also worth noting is how companies working in the government or healthcare industries are often subject to stricter data sovereignty laws.  For instance, some federal agencies within the United States require their data be stored exclusively within the US. Companies should consider and evaluate providers that specialize in these industries.

Do your homework

When working with customers on their cloud migration strategy, they often will tell me that they can’t migrate to the cloud because of concerns over the physical location of data.  Before making that determination companies need to do more research, read the fine print of their cloud contract, and ask the right questions.

When moving data to the cloud, companies need to dig deeper in their research and line of questioning.  Start with the basics, followed by the tougher questions.  Often, the answers will reveal red flags suggesting that they are not in compliance with their region’s data sovereignty laws and need to reassess their approach to adopting cloud-based services.  Companies should consider asking the following questions:

  • What types of services is your company using, and where does all the physical data reside? 

  • Can they exchange email or other communications with entities outside of the company or region?

  • Do they store any data outside of the company or country with partners or suppliers? 

  • Do they use any other cloud services?


Priortize transparency

One of the biggest hurdles we see companies have to overcome when migrating to the cloud is accepting that their data will no longer be under their control.  To help companies be more comfortable with having confidential information outside of their power, providers need to be more transparent.  Companies should, therefore, look for a provider that will give them greater visibility and access.  This transparency will go a long way with earning customer trust and confidence in the cloud.

The cloud is changing the way companies get work done, making it the defacto standard for many organizations’ IT infrastructure.  While navigating the maze of data sovereignty laws can be intimidating, organizations should not let this deter them from making the move.  If companies do their due diligence and get the right help, they will have a smoother transition to the cloud. 

Allan Leinwand is chief technology officer at ServiceNow, the enterprise cloud company. In this role, he is responsible for overseeing all technical aspects and guiding the long-term technology strategy for the company.

Before joining ServiceNow, Leinwand was chief technology officer – Infrastructure at Zynga, Inc. where he was responsible for all aspects of technology infrastructure used in the delivery of Zynga’s social games including data centers, networking, compute, storage, content distribution and cloud computing. Leinwand currently serves as an adjunct professor at the University of California, Berkeley where he teaches on the subjects of computer networks, network management and network design. He holds a bachelor of science degree in computer science from the University of Colorado at Boulder.

About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights