1 Introduction
Organizations find themselves at the crossroads of data sovereignty and data privacy, resulting from cloud adoption. This has led to compliance with cross-border data protection laws and regulations becoming an important challenge. Data protection and data sovereignty laws and regulations are growing around the world, and organizations face substantial financial penalties if they fail to navigate this landscape of competing and sometimes contradictory requirements. The report reviews how ShardSecure Microshard technology can help organizations to respond to these challenges.
Data is the most important business asset of the modern organization, and it needs to be protected against unauthorized access as well as ransomware and loss. Organizations are using cloud services to improve flexibility, to create new products and to reduce costs through digital transformation. This is creating a tension between the benefits that these services provide and the risks that using a third party, often in another country, to process data create.
Differences in data protection legislation in different jurisdictions have led to wide ranging controls over the movement of data. A notable example of this is the European Court of Justice Schrems II Judgement and the subsequent recommendations by the EDPB (European Data Protection Board). While these apply specifically to the protection of the personal data of EU residents, they are equally applicable to all sensitive data.
This judgement and the EDPB recommendations make it clear that processing the personal data in the clear by cloud service providers and other data processors located outside of the EU is not permitted and that legal safeguards such as SCCs (Standard Contractual Clauses) are not sufficient. Organizations must implement supplementary technical measures to protect that data. The EDPB recommendations identify three major technical measures with examples of how they can be applied in several use cases. In summary these are:
- Encryption - strong, state-of-the-art encryption in-transit and at-rest can help to provide an adequate level of data protection where keys are retained by exporter.
- Pseudonymization prior to the transfer can also serve as an effective supplementary measure to protect the data while it is being processed or shared.
- Split Processing – the use of two or more independent data importers—located in different jurisdictions—without disclosing any personal data to either of them
In response to these concerns on October 7th, 2022, The US published Executive Order on Enhancing Safeguards for United States Intelligence Activities. Whilst this EO does not amend or replace existing US surveillance laws, it sets out additional safeguards that are clearly designed to counter the concerns raised by the Schrems II Judgement. Whether this will be acceptable to the EU courts remains to be seen. In the meantime, organizations are recommended to implement the EDPB technical measures.
The report reviews how ShardSecure Microshard technology, when used as part of an integrated approach to information lifecycle protection can help organizations to respond to these challenges.