9 October 2025

Who owns your data in the cloud?

Chris Dolby

Chris Dolby

Cloud Product Manager

The short answer is you. But it gets more complicated when it comes to data processing, including who is handling your data. In this blog, we will demonstrate the practical steps you can take to manage risks around data processing, ensure UK data sovereignty, and why a managed private cloud solution is best for achieving that.

Data in the cloud: yours, but not always under your control

Cloud computing lets you store, process, and access data from anywhere. But when your data sits on servers in other regions, who really controls it? In 2023, 89% of UK businesses used some form of cloud service, according to the ONS. Many don’t know where all their data lives. In a separate study, only 35% of organisations have full visibility into where their cloud data is stored and governed.

Border force: data to declare?

Data sovereignty means your information is governed by the laws of the country where it is held. In the UK, that means UK GDPR and the Data Protection Act 2018 (among other laws). If your data is stored on a server that sits outside the UK or EEA, you must also comply with the data protection laws of those countries.

Some of this is easy. For example, the UK GDPR is designed to reflect the EU GDPR, so data storage for one, should in most cases, guarantee compliance with another. In other cases, it gets more complicated. For example, the U.S. CLOUD Act lets American authorities request data from US-based providers, even if that data is stored in the UK.

This is still theoretical: subpoenas requesting information under the U.S. CLOUD Act have not developed into court cases, so there is still little legal precedent for how judges will rule on such cases. However, it does create compliance conflicts. For example, if a European company complied with a subpoena to submit information to American law enforcement which contained details of European citizens, they would break GDPR.

Following the principle of data sovereignty enables you to reduce compliance and information governance risks if you ensure that certain sensitive information is stored only on servers located in the UK.

Compliance and information risk management

In the context of data protection and data sovereignty, risk management means knowing who holds your data, where it resides, and being able to prove in an audit that you have taken adequate steps to secure personal data when it is transferred to other countries.

Some customers or organisations may have a requirement that sensitive data, if stored in the cloud, is stored on a server on UK soil. Many public cloud providers enable you to select which geographical region your data is stored in, but that data may be processed or transferred internationally across cloud and other services (like M365) in specific situations.

In one notable example, last year Microsoft admitted to Scottish policing bodies it couldn’t guarantee that UK policing data hosted on its public cloud infrastructure would remain within the UK, despite its systems being deployed throughout the criminal justice sector.

An effective way to minimise your compliance risks and ensure UK data sovereignty is to use a managed private cloud. If you use a mix of public and private clouds, your IT MSP can help you understand what types of data and workloads are best suited to each environment and why.

Want to take back control? Start naming names

If you want to get visibility and control over your data, begin by asking some questions:

  • Have you done a Data Protection Impact Assessment? 
  • Where on your IT network is your personally identifiable information (PII) stored? 
  • Is all or part of the personally identifiable information stored in the cloud? 
  • Is all or part of that data encrypted? 
  • Who can access this data and where are they located geographically? 
  • Under what circumstances can users access that data? 
  • What laws and regulations must you to comply with?

With these questions, you can begin to map out where your data lives, who can access it or process it, and what this means for your compliance risks. If you want to start getting practical, involve your compliance team, but remember that IT teams and compliance teams will often use two different sets of terminology to describe data ownership.

For example, let’s look at GDPR and data governance models.

GDPR terminology 

Role 

Data Controller 

  • Determines the purpose and method of processing personal data. 
  • Responsible for consent collection, data accuracy, and compliance with GDPR principles. 

Joint Controller 

  • Two or more entities jointly decide on data processing. 
  • Must define roles transparently and share equal responsibility. 

Data Processor 

  • Processes data on behalf of the controller. Follows controller's instructions only. Cannot decide how/why data is used. 

Sub-Processor 

  • A third party appointed by a processor. Must be approved by the controller in writing. 

By comparison, data governance models set out the members of your business who are responsible for data quality and usage:

Data governance terminology 

Role 

Data Owner 

  • Defines the purpose and rules for data collection, usage, and sharing, ensuring alignment with organisational goals and regulatory requirements. 
  • Holds accountability for data quality, integrity, and compliance, overseeing consent management and safeguarding data throughout its lifecycle. 

Data Custodian 

  • Implements and manages the technical controls and storage systems to protect and maintain data according to policies defined by the Data Owner. 
  • Ensures secure access, backup, and integrity of data, following compliance and operational requirements throughout the data lifecycle. 

Data Stewards 

  • Monitors data quality, ensures consistency, and maintains metadata according to organisational standards and policies. 
  • Acts as a liaison between business and technical teams, facilitating proper data usage, compliance, and resolving data-related issues across the data lifecycle. 

Data User 

  • Accesses and utilises data for authorised business purposes, adhering to organisational policies and compliance requirements. 
  • Reports data issues, inconsistencies, or potential breaches to Data Stewards or Data Owners to support ongoing data quality and security. 

Using these two models, you can begin to get a handle on who can help your manage your information governance and compliance risks.

Practical steps for strong data ownership

To reduce your risk:

  • Control access: Use strong passwords, enforce multi-factor authentication, and only give users necessary permissions. The NCSC (National Cyber Security Centre) recommends “least privilege” for cloud services. 
  • Encrypt data: Apply encryption both at rest and in transit. Choose providers that let you hold your own encryption keys. The NHS Data Security and Protection Toolkit sets this as a standard for health data. 
  • Monitor and audit: Enable logging. Regularly review logs for unusual activity.  
  • Contract clarity: Make sure your contract spells out data ownership, exit procedures, and who is liable for breaches. The FCA mandates this in supplier contracts to ensure continuity and compliance. 
  • Legal compliance: If you use data processors outside the UK, check whether there are “adequacy agreements” or use Standard Contractual Clauses. The ICO provides checklists for UK businesses exporting data.

Managed Private Cloud: control without compromise

Most UK businesses use a mix of clouds. Public clouds offer scale and innovation, but you may not know exactly where your data is. A survey of over 1,000 UK IT leaders shows 78% now prioritise sovereignty when selecting technology partners. That’s why many businesses in regulated sectors such as finance, healthcare, and retail are shifting sensitive workloads to private clouds based in UK data centres.

Private clouds let you pick the physical location and control who has access. You get one set of rules, one set of compliance checks, and you know exactly where your data lives. For the most sensitive applications—health, payments, customer identities—this reduces risk and makes audits easier.

A hybrid approach is common: keep regulated or sensitive data in a private cloud, use public cloud for other workloads. This lets you balance control, compliance, and cost.

Managed private cloud solutions offer UK-based infrastructure, 24/7 monitoring, and help with compliance demands. This means you can focus on your business, not cloud configuration headaches.

Choosing the right cloud environment for data sovereignty

To make the right cloud choice, ask:

  • Where is my data stored and backed up? (Check your cloud console and contracts.) 
  • Which laws apply? (The answer depends on both location and provider headquarters.) 
  • Who can access it, and under what circumstances? (Do you hold the keys?) 
  • Can I demonstrate compliance to auditors? (How fast can you pull a log, or show an access trail?)

If you can’t answer these, now is the time to review your strategy. Private and hybrid clouds give you options.

Claranet’s Managed Private Cloud solution is managed and optimised by dedicated cloud experts, so you can be certain that you have the right workload in the right cloud environment, so you get the features and services you need while staying compliant.

Claranet is here to help you solve data sovereignty issues and take back control of your cloud data. Contact one of our cloud experts today. 

Latest articles