What is data sovereignty (and why should you care)?
Chris Dolby
Cloud Product Manager
This blog post will explain data sovereignty, what it means for data in the cloud, why companies are using private cloud environments to host their data, and how to choose your private cloud provider to fulfil your data sovereignty requirements.
Let’s start off with some facts:
- Only 35% of organisations have full visibility into where their cloud data is stored and governed
- A survey of over 1,000 UK IT leaders shows 78% now prioritise sovereignty when selecting technology partners.
Keep these in mind for now. Throughout the blog, we will explain why they are important to you.
What is data sovereignty?
It’s the principle that any data collected by an organisation must comply with the laws and governance of the country where it was gathered, processed, or stored.
Cloud data can be subject to more than one nation’s laws. Depending on where it is being hosted or by whom it is controlled, different legal obligations regarding privacy, data security and breach notification may be applicable.
Thus, if you collect data about customers residing in the EU, that data must be stored and processed in accordance with GDPR. If that data is stored in the UK, then it may also be subject to UK data protection laws.
Crucially, some organisations will mandate that any data gathered and processed about them must not leave its country of origin. For example, many UK government and public sector bodies demand that data stored by third-party vendors must be processed and stored in the UK only.
In some cases, large categories of data are prohibited from being transferred outside a country's geographic borders or jurisdiction. These regulations impact businesses that use a hybrid cloud approach, requiring them to work with multiple cloud providers who operate local data centres and adhere to each country's specific legal requirements.
Data sovereignty in the UK
At least four different statutes form the UK’s data sovereignty regulation:
- UK General Data Protection Regulation (UK GDPR).
- Data Protection Act 2018 (DPA 2018).
- Investigatory Powers Act 2016 (IPA 2016).
- National Security and Investment Act 2021.
- Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (PECR)
- Data (Use and Access) Act 2025 – currently being rolled out in stages. This provides amendments to other legislations, but does not replace them.
Following Brexit, the UK implemented its own version of the GDPR, known as the UK GDPR – similar, but tailored to UK law. Data transfers between the UK and the EU are facilitated by an adequacy decision from the European Commission, which acknowledges that the UK provides adequate data protection.
Entering our CLOUD Act era
Technically, none of this is new, but there is renewed attention on the topic now.
Under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), U.S. law enforcement can compel American technology companies to provide electronic data stored by them, regardless of whether that data is stored on servers inside or outside the U.S. This enables U.S. authorities to issue warrants and court orders to access data, even if it belongs to non-U.S. persons and is stored in foreign data centres.
This law comes into conflict with other regulations such as the GDPR; any European organisation that complies with a request from US law enforcement to provide data on EU citizens breaches the GDPR. Because the CLOUD Act is still new, such cases have not yet been tested.
AWS and Microsoft control 60-80% of the £9 billion UK cloud market, ahead of Google. Many organisations with a public cloud infrastructure now fear they will be asked to provide data to US authorities. Some are responding by re-patriating data to on-premises infrastructure, while others are investigating private cloud solutions where they will have more control over where data is located.
Data crosses borders while servers stay home
In June 2024, Microsoft admitted to Scottish policing bodies that it could not guarantee UK policing data hosted on its public cloud infrastructure would remain within the UK, despite its systems being deployed throughout the criminal justice sector.
Many public cloud providers enable you to select which geographical region your data is stored in, but that data may be processed or transferred internationally across cloud and other services (like M365) in specific situations.
Only 35% of organisations have full visibility into where their cloud data is stored and governed; that means the remaining 65% could be non-compliant (potentially without realising) or subject to a subpoena from American law enforcement.
Two major trends have emerged in response: multi-cloud adoption and hybrid infrastructure models. Both approaches are designed to restore control, reduce single points of failure, and enhance resilience.
Multi-cloud allows businesses to distribute workloads across different providers, while hybrid setups blend public and private cloud environments to improve adaptability.
Data! Stay!
According to the NCSC Cloud Security Principles 2.1 Physical location and legal jurisdiction states that “You should be confident that you know where your data is, and who can access your data.”
You should understand:
- in which countries your data will be stored, processed and managed
- which legal jurisdiction(s) your data will be subject to, and whether this is acceptable to you
- the rights that the service provider will have to access and use your data
- the legal circumstances under which your data could be accessed without your consent, and how this affects your compliance with UK legislation
For compliance purposes, consider two categories: data at rest and data in transit.
Data at rest
If you store data in the cloud, you’ll need to select options for replication and backup, which in many cases will involve storing data in another geographical location. Your cloud provider may or may not allow you to select the region where backups or replicas will be stored. If you are able to specify the region in which data will be stored, make sure you understand the regulatory requirements of each region.
Data in transit
Consider the following questions:
- How often do you transfer data between geographical regions?
- From where and to where is data transferred?
- What type of data is typically transferred?
You should understand your data flows because they relate to how data is being collected and processed. It is especially important to understand data sovereignty in the source and destination region, and if there are legal issues, adjust your data flows to ensure data ends up in the most appropriate legal jurisdiction.
Data processing is often misunderstood
In data privacy terms, someone simply accessing data from abroad is considered processing and their location becomes a processing location. For example, if you outsource software engineering to India, and they work on a web application storing customer information from the UK/EU, then you must declare India as a data processing location. This can be managed at the contract level usually; so long as you are transparent with your processing locations and the controls in place to allow secure processing. However, as stated above, some customers have very strict terms that limit who can access and process their data.
Questions to ask prospective cloud vendors to ensure data sovereignty
Can you be sure that your cloud provider’s data centres are located in the UK, or comply with your data sovereignty requirements for international data transfers? This is why one recent survey of over 1,000 UK IT leaders, shows that 78% now prioritise sovereignty when selecting technology partners.
If you are selecting vendors for your cloud environment, and you want to ensure that your data sovereignty needs are covered, ask them the following questions:
- What systems do you have in place to ensure that the data does not leave particular locality?
- Does your solution offer geographic access controls?
- In what geographies do you have data centres?
- What resources do you have to ensure compliance with local data retention laws?
- What systems do you have in place to ensure that the data does not leave particular locality?
- Does your solution offer geographic access controls?
- When data is moved off the hosted service, can it be moved without violating data residency laws?
- Are backup copies being made and where are they stored?
- How is encryption handled?
- Who has keys access?
- How is data access monitored and alerted?
- Who owns the data?
- How will data be secured?
- Do you conduct annual security audits with external third-party security specialists?
- If yes, can you provide the last three years' worth results?
- Is there a secure destruction policy if I remove my data from the hosted service?
Claranet’s Managed Private Cloud solution is managed and optimised by dedicated cloud experts, so you can be certain that you have the right workload in the right cloud environment, so you get the features and services you need while staying compliant.
Claranet is here to help you solve data sovereignty issues and take back control of your cloud data. Contact one of our cloud experts today.
Related articles
How to successfully achieve data platform and database modernisation without down-time
How to maximise the value and ROI of your IBM Informix database
The perils of not being data-ready
Data sovereignty in a troubled world: ensure a Dutch safety net
SINAPSI: How your video archives can become an e-learning portal thanks to Artificial Intelligence