Complying with CCPA - Data Sovereignty, Privacy, and Cloud Computing

In 2019, we saw a number of headline-making privacy violations; this included the $5 billion fine against Facebook for “violating consumers’ privacy”. Because of a combination of increasingly hyper-connected cloud-based systems and raising consumer awareness regarding the importance of keeping data safe, privacy has become an important aspect of our IT infrastructure.

As a reflection of these changes, regulatory authorities across the world, have updated or created new laws to enforce data privacy. These laws have included the EU’s General Data Protection Regulation (GDPR) and more recently, the California Consumer Privacy Act (CCPA) which came into force on January 1, 2020. These laws and regulations focus on data sovereignty of personal data as a way to achieve privacy.


What is Data Sovereignty

Data sovereignty laws should not be confused with data residency regulation. In the latter case, a business would typically choose to store data in a given geographic, perhaps for tax reasons. Data sovereignty, however, is about abiding by the law of the country the data is processed in. This means ensuring the data complies with data protection laws during storage, transfer, and processing - no matter where it is located during that lifecycle. This increases complexity in the already burdened journey to cloud adoption as data may be created and stored in one location but moved to another for further handling and processing.

Regulations like the GDPR and CCPA, set specific jurisdiction over the processing of personal data. These personal data are defined by the regulations as being any data element that can be used to identify an individual. This data can take many forms and is classified according to sensitivity. These restrictions on personal data handling take the form of data subject rights and include requirements involving:

  • The right to data erasure
  • The right to data portability
  • The right to change data if errors are found

The regulations also set out that personal data requires security measures, such as encryption, to ensure it is protected.

This use of cloud computing can cause issues with regards to compliance with the data sovereignty regulations. For example, if your business uses a public or hybrid Cloud you will need to know the locations of where your data resides and moves to. You will also need to know the types of data flowing within that life cycle. Both GDPR and CCPA apply restrictions based on the classification of personal data as well as its location. This translates to having a robust data governance policy, including:

  • Data mapping to establish and classify data types
  • Audit and track data life cycle and location
  • Appropriate security measures based on the above two points

The CCPA and Data Sovereignty in the Cloud 

Understanding the impact of data sovereignty and privacy regulations on the use of cloud computing is vital to avoid fines for non-compliance. Both the GDPR and CCPA have far-reaching impact, involving businesses across the globe. Here are a few tips that allow you to prepare your cloud-based data for data sovereignty cloud regulations like the CCPA:

Tip 1: Minimize the data you collect and process - only take what you need to provide your service
Tip 2: Map the location of any cloud app used. Know where these data are transferred to and stored. Ensure that this map is kept up to date.
Tip 3: Have a data processing agreement with your cloud provider - make sure it meets the data privacy protection requirements in the GDPR, CCPA, and any other regulations your organization must abide by.
Tip 4: Use robust security across your data life cycle. This should include end-to-end encryption for data at rest, in transit, and in use. Use of strong authentication measures should shore up access to data.


Compliance, End-to-end Encryption and the CCPA

Our IT infrastructure has become ever-more complex and connected. This means data sovereignty cloud computing implications can be fuzzy. In turn, privacy and data protection regulations such as CCPA and GDPR are setting increasingly stringent restrictions on how we handle and process personal data. Taking these restrictions and making them fit with a public or hybrid cloud infrastructure is a challenge. End-to-end encryption meets this challenge, offering a way to ensure that no matter where data resides or goes to, it is protected. End-to-end encryption is a great way to help meet compliance goals; by encrypting data across the lifecycle through storage, movement, and in use, you can avoid massive fines and keep customers happy.

Schedule a demo of Kindite’s end-to-end encryption solution; learn how to easily secure personal data and meet the compliance requirements of GDPR and CCPA.