Data Sovereignty & Cross-Border Movement of Sensitive Data

One of the 14 key controls released with the EDM Council’s new Cloud Data Management Capability (CDMC) framework focuses on data sovereignty and cross-border movement. It’s critically needed, but highly complex and difficult to fully comprehend, let alone solve.

Local laws matter. The focus of the capability is compliance with all laws and regulations for the handling of sensitive data within a specific jurisdiction where data resides. This includes complying when data passes across geographic boundaries, both in and out. The capability is a logical statement of intent but the complexity starts to emerge as we zoom in and examine the dimensions of the requirements.

First, we need to understand what data is sensitive. We also need to recognize that sensitive data elements like columns are co-mingled with non-sensitive data in files, tables, etc. Both of these are covered by separate CDMC controls, so we will assume they are being satisfied.

Second, we need to consider overlapping and conflicting jurisdictions. Countries, states, and industry bodies are rapidly producing laws and regulations. These laws must be cross-referenced and mapped to risk-related controls and procedures. In addition, each capability must also be cross-mapped to laws and regulations of other countries, states, and industry bodies, so data can move between the two.

As if this wasn’t enough, we also must consider the intended use of specific sensitive data both within and across jurisdictions. This means that it’s not good enough to simply have mapped the regulations; we also must understand and approve the intended data use, ensuring both data owners and consumers agree to specific uses of physical data. In other words, data owners have rights around how their private data is used, which consumers must follow to stay compliant.

We also need a way of monitoring and enforcing compliance. This ensures that what was agreed to is in fact happening. This is complicated by other factors, including policies established between parent and subsidiaries, as well as their suppliers, contractors, and other agents.

Ignoring these mandates and doing nothing is not an option. Cloud compliance is table stakes for any business with cloud data. So how do we solve this massively complex challenge?

Consolidate Risk Initiatives

Data has grown into a true corporate data asset. Just as with any other asset class, it has its own complement of regulators, thieves, and attackers. This means data protection and risk mitigation must be promoted and consolidated with other enterprise risk management processes. Data governance is the path to accomplishing this.

The first step is recognizing the direct relationship between data governance and risk. This includes board-sponsored corporate governance & risk, enterprise risk management (ERM), and information security risk.

All three risk functions should be aligned. This requires they share a common set of identified risks, controls, standards, processes, and evidence requirements. In the past, many of these risk organizations and initiatives have been loosely coupled at best and run in their own data silos. This simply can’t be the case any longer.

Get the Lawyers Involved

Regulations are rarely prescriptive. They require interpretation that can be backed up and defined by legal opinion. Importantly, each organization must do this for themselves based on their specific business, situation, and risk tolerance. Lawyers can help you navigate the regulations for all jurisdictions in which a company operates.

The law and governance teams must work closely. It’s crucial that the legal opinion and defensive opinions the lawyers create align with a set of data sovereignty and cross-border data movement policies written by the risk management/governance team. These policies must also align with controls, standards, and procedures so that the company could be defended in civil or criminal court actions.

Manage by Policy and Contractual Agreements

Policies govern behavior. Once the policies are set they become the framework for the day-to-day management of data sharing. This includes the approval of data access requests and reevaluation of existing requests. What must be actually approved and managed is a contractual agreement between data providers and consumers. This agreement is commonly referred to as a Data Sharing Agreement.

Like any contract, a Data Sharing Agreement specifies the parties, scope, use, time period, responsibilities, recourse, etc. It should also reference the supporting policies which, as described above, will have already been examined and be supported by a corporate legal position.

An important element of the data policies and standards is the larger “why” behind their existence: What conditions trigger the need for such an agreement? Conditions clarify exemptions. For instance, sharing sensitive data — if it’s within a single business function, for internal use only, and does not cross geographical boundaries — may be exempt.

Investment in Automation

If all this sounds like a lot of work… you’re right, it is. As business leaders, we’re responsible for the security of the private data with which we’ve been entrusted. We need to manage and produce an audit record that proves that we are managing the flow of sensitive data through, across, in, and out of every part of our enterprises. In other words, it takes a village.

A data governance team supported by a handful of part-time data stewards will never be able to keep up with these new demands. There is only one way we can do this without strangling the business or depriving it of the agility it needs to compete. We need to automate the process, or at least as much of it as possible, which should be quite a bit.

Automation begins with cataloging all your enterprise assets. And just like a financial chart of accounts, the catalog becomes the mechanism where the data is classified and accounted for. A smart data catalog can monitor changes, auto-discover, and classify sensitive data; it can understand where it’s used, and by whom, and many other things.

But that is only the starting point. Once your assets are cataloged, you should automate the lifecycle of data sharing agreement requests, evaluation, approval, and entitlement creation. This reduces considerable manual labor and ensures compliance throughout the data lifecycle.

Examples of Automation in Action

Feeling lost? Here’s one example of automation in action.. Imagine you’re responsible for safeguarding data access. Someone is requesting access to data they discovered by looking at its metadata description in the catalog. The system knows who they are, their home location, and role. It also knows a lot about the data (from the catalog), including where it’s located, if it contains sensitive data, what policies govern its use, etc.

The catalog steps in to steward proper access: The requestor’s usage request form can digitally evaluate against all of that data to determine if they should be granted permission. If so, a data-sharing agreement is auto-generated and immediately sent to them for their electronic signature. Once they sign it, an IT service request is triggered for an admin to grant them access. All done without human intervention and 100% in alignment with policy.

Alation’s Ongoing CDMC Work

With CDMC 1.0 just released, it’s still early days… but we have no time to waste!

To develop the first test case and implementation example of the 14 CDMC controls, we’ve worked diligently with fellow EDM Council members and our partners Snowflake and KPMG.

But we are just getting started. Our plan is to continuously iterate on how each of the controls can be automated and then share the lessons learned with our broader community of catalog customers and beyond.

Join us at the DataVision conference on December 7th for “Tales from the Trenches: Lessons Learned From the Industry’s First CDMC Test Case” at 3:50pm EST.

The session is free for everyone – join us to see the CDMC test cases in action!