As organizations become increasingly global and interconnected, issues surrounding data privacy have become more complex.
A company may be based in France, but it may leverage the tools of U.S.-based companies like Google or Amazon to store and transmit sensitive data. If that France-based company stores customer information on a server that happens to be based in the U.S., where does that data really reside, who owns it, and what regulations should it be subject to?
Many countries and regions are taking a firm stance to create guidelines around those questions in order to protect private data. With regulations like the European Union’s General Data Protection Regulation (GDPR) setting the bar for data privacy protection, it’s more important than ever for companies to proactively safeguard their sensitive customer and employee data, everywhere it’s stored and shared.
Data Sovereignty means that data is subject to the laws and regulations of the geographic location where that data is collected and processed.
Data sovereignty is a country-specific requirement that data must remain within the borders of the jurisdiction where it originated. At its core, data sovereignty is about protecting sensitive, private data and ensuring it remains under the control of its owner.
To revisit the example of a France-based company using a U.S.-based cloud provider such as Google, that data would be subject to French law, but in reality, it’s also subject to U.S. law because it’s processed by an American company—even if the data is stored in a European data center. If Google were to receive a CLOUD Act subpoena or a Department of Justice request, Google is legally required to provide that information to the government. For the French company, that would be a breach in data sovereignty.
However, if that data is encrypted with a solution like Virtru’s end-to-end Google Workspace encryption, it remains protected and inaccessible to Google, the U.S. government, and everyone else—including Virtru. If the French company manages the encryption keys that unlock access to the data, they remain in full control of how their data is used, maintaining data sovereignty. Because the data was encrypted, with the keys also managed locally (in country, on premises), data sovereignty remains protected.
The most famous regulation related to data sovereignty is GDPR, which made waves when it took effect in 2018 and continued in 2023. In order to be GDPR compliant, organizations must implement and maintain “reasonable security” procedures and protections to protect EU citizens’ and residents’ private data from authorized access — in addition to taking several other data collection and protection measures. In the U.S., the California Consumer Privacy Act (CCPA) has a similar objective to give California residents greater control over how their data is used and stored.
These regulations intersect with data sovereignty when data is collected, processed, or stored outside the country or jurisdiction of the consumers these laws protect. In the case of GDPR, EU citizens’ and residents’ private data is protected by the same regulations, regardless of what company collects and stores this data (or where that company is located). Companies based in the U.S., China, or India are subject to the same compliance requirements—and noncompliance consequences—as companies based in the EU.
It’s a reality that most companies will have to share sensitive information outside the jurisdiction where they’re located—so how can companies achieve global scale while adhering to data sovereignty and remaining compliant with regulations like GDPR and CCPA?
By encrypting sensitive data and hosting their own encryption keys, organizations can ensure their customers’ private information remains protected, everywhere it’s shared or stored. End-to-end encryption ensures this sensitive data is protected across its entire life cycle, in accordance with data sovereignty, from the time that data is collected until the time a customer opts out.
Virtru’s end-to-end encryption solutions satisfy data sovereignty requirements by protecting sensitive data at the time of creation and providing the ability to store encryption keys in their required geographic region while allowing the organization to continue using the multinational cloud vendor of their choice. The Virtru Private Keystore allows companies to host their own encryption keys in a location of their choosing, whether on-prem or elsewhere.
Encrypting data at the object level—protecting each individual data file and email in its own protective wrapper—ensures that private information remains private, and that it can only be accessed by those that are authorized to do so.
Protecting private data isn’t just the right thing to do: It’s also a smart business decision. Encrypting sensitive data in line with compliance standards opens up a world of global opportunity, giving companies the confidence to select the global cloud partners that best meet their needs, while maintaining complete ownership over their data.
Virtru’s object-level encryption protects data across the entire supply chain, protecting organizations from breaches and expensive noncompliance penalties. To see how your organization can maintain data sovereignty, contact Virtru today.