dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start [2021/10/05 12:50] nick [Kinds of Geographic Jurisiction] |
dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start [2022/05/27 19:50] (current) nick grammar |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== 2.3.4.6 Geographic Jurisiction Data Governance ====== | + | ====== 2.3.4.6 Geographic Jurisdiction Data Governance Taxonomy ====== |
| - | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax | Return to Data Taxonomy]] | + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:start| Return to Data Taxonomy]] |
| ===== Overview ===== | ===== Overview ===== | ||
| - | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect| Return to Top]] | + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start| Return to Top]] |
| - | : //Geographic Jurisiction Data Governance is the judicial (legal and contractual/policy) considerations that are applicable within and across physical geographic boundaries/areas. (( | + | : //Geographic Jurisdiction Data Governance is the judicial (legal and contractual/policy) considerations that are applicable within and across physical geographic boundaries/areas. (( |
| Steven Woodward, | Steven Woodward, | ||
| - | __Geo-Jurisdictions: Myths, Realities and Complexities__, | + | __Geo-Jurisdictions: Myths, Realities, and Complexities__, |
| Cutter Business Technology Journal, | Cutter Business Technology Journal, | ||
| Vol 31, No. 8, 2018, | Vol 31, No. 8, 2018, | ||
| Line 14: | Line 14: | ||
| ))// | ))// | ||
| - | Originally, before the ubiquitious use of neworks and internet, hardware abstraction, virtualization, the explosion in cloud computing, and globalizaton of tech compaines, data protection was relatively easy which a large portion of the Data Protection accomplished through [[dido:public:ra:xapend:xapend.a_glossary:p:physicalsecurity]]. Thess original concepts of Data Protection were greatly expanded to cover [[dido:public:ra:1.4_req:2_nonfunc:25_security | Securability]]. Although, this was an improvement in protecting data from the perspective of the corporation, there was little protection for the end-user (i.e., consumer) from the corporations. Figure {{ref>GeoTechAreas}} represents the widespread nature of Geographic Jurisiction Data Governance. Fortunately, most of the tecg areas such as Cloud Computing, Artifical Inteligence and Big Data have already made adaptations for Geographic Jurisiction Data Governance expecially since it has been mandated by [[dido:public:ra:xapend:xapend.l_regulations:start | Internation and national Governance and Regulation ]] such as [[dido:public:ra:xapend:xapend.a_glossary:g:dgpr]], [[dido:public:ra:xapend:xapend.a_glossary:d:dpa]], and [[dido:public:ra:xapend:xapend.a_glossary:c:ccpa]]. | + | Originally, before the ubiquitous use of networks and the internet, hardware abstraction, virtualization, the explosion in cloud computing, and globalization of tech companies, data protection was relatively easy, and a large portion of the Data Protection was accomplished through [[dido:public:ra:xapend:xapend.a_glossary:p:physicalsecurity]]. These original concepts of Data Protection were greatly expanded to cover [[dido:public:ra:1.4_req:2_nonfunc:25_security | Securability]]. Although this was an improvement in protecting data from the perspective of the corporation, there was little protection for the end-user (i.e., consumer) from the corporations. Figure {{ref>GeoTechAreas}} represents the widespread nature of Geographic Jurisdiction Data Governance. Fortunately, most of the tech areas such as Cloud Computing, Artificial Intelligence and Big Data have already made adaptations for Geographic Jurisdiction Data Governance especially since it has been mandated by [[dido:public:ra:xapend:xapend.l_regulations:start | International and National Governance and Regulation]] such as [[dido:public:ra:xapend:xapend.a_glossary:g:dgpr]], [[dido:public:ra:xapend:xapend.a_glossary:d:dpa]], and [[dido:public:ra:xapend:xapend.a_glossary:c:ccpa]]. |
| <figure GeoTechAreas> | <figure GeoTechAreas> | ||
| - | {{ :dido:public:ra:1.2_views:3_taxonomic:4_data_tax:screen_shot_2021-10-04_at_2.39.22_pm.png?400 | }} | + | {{ :dido:public:ra:1.2_views:3_taxonomic:4_data_tax:screen_shot_2021-10-05_at_9.53.46_am.png?400 |}} |
| - | <caption>Geographic Jurisiction Data Governance touches most technical areas</caption> | + | <caption>Geographic Jurisiction Data Governance touches most technical areas see (( |
| + | Steven Woodward, | ||
| + | __Geo-Jurisdictions: Myths, Realities, and Complexities__, | ||
| + | Cutter Business Technology Journal, | ||
| + | Vol 31, No. 8, 2018, | ||
| + | The Critical Need for Data Governance, | ||
| + | [[https://www.cutter.com/article/geo-jurisdictions-myths-realities-complexities-500906]] | ||
| + | ))</caption> | ||
| </figure> | </figure> | ||
| - | Unfortunately, most distributed computing platforms (i.e., DIDOs) have done little to address Geographic Jurisiction Data Governance even while the amount of governance and regulation has increased beome relatively mainstream internationally. Some of the Countries that have enacted data protection laws are [[https://incountry.com/country-compliance/]], [[https://incountry.com/blog/data-residency-laws-by-country-overview/]]: | + | Unfortunately, most distributed computing platforms (i.e., DIDOs) have done little to address Geographic Jurisdiction Data Governance even while the amount of governance and regulation has increased and become relatively mainstream internationally. Some of the 90+ Countries and their various laws are described in detail on the InCountry website(( |
| + | InCountry.com, | ||
| + | Country Compliance Research Center, | ||
| + | Accessed 6 October 2021, | ||
| + | [[https://incountry.com/country-compliance/]] | ||
| + | )). The InCountry team is constantly updating the site with new regulations and more countries, The following list represents some of the major non-USA countires: | ||
| * China | * China | ||
| Line 30: | Line 42: | ||
| * Switzerland | * Switzerland | ||
| * Turkey | * Turkey | ||
| - | * United Arab Emerites | + | * United Arab Emirates |
| * United States of America | * United States of America | ||
| * State of California | * State of California | ||
| - | ===== Kinds of Geographic Jurisiction ===== | + | ===== Kinds of Geographic Jurisdiction ===== |
| - | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect| Return to Top]] | + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start| Return to Top]] |
| - | There are three main categories of Geographic Jurisiction Data Governance: [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect#data_residency]], [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect#data_sovereignty |Data Sovereignty]] and [[[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect#data_localization |Data Localization]]. Usually, these concpets are applied strickly to data storage with an increase burden to store the data in the jurisdiction where the data is created. Basically, it is represents the [[dido:public:ra:xapend:xapend.a_glossary:d:dataatrest]] data state, see: [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:start]]. | + | There are three main categories of Geographic Jurisdiction Data Governance: [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start#data_residency |Data Residency]], [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start#data_sovereignty|Data Sovereignty]] and [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start#data_localization|Data Localization]]. Usually, these concepts are applied strictly to data storage with an increased burden to store the data in the jurisdiction where the data is created. Basically, it represents the [[dido:public:ra:xapend:xapend.a_glossary:d:dataatrest]] data state, see: section [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:start]]. |
| ==== Data Residency ==== | ==== Data Residency ==== | ||
| - | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect| Return to Top]] | + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start| Return to Top]] |
| : //**Data Residency** refers to where a business, industry body or government specifies that their data is stored in a geographical location of their choice, usually for regulatory or policy reasons.// | : //**Data Residency** refers to where a business, industry body or government specifies that their data is stored in a geographical location of their choice, usually for regulatory or policy reasons.// | ||
| - | : //A typical example of a Data Residency requirement in action is where a company wishes to take advantage of a better tax regime. Doing so will usually require the business to prove they are not conducting too great a proportion of core business activities outside that country’s borders – including the processing of data. They will therefore impose a Data Residency that requires them to use certain infrastructures, and then impose strict data management workflows on themselves and any cloud service providers in order to protect their taxation rights. | + | : //A typical example of a Data Residency requirement in action is where a company wishes to take advantage of a better tax regime. Doing so will usually require the business to prove they are not conducting too great a proportion of core business activities outside that country’s borders – including the processing of data. They will therefore impose a Data Residency that requires them to use certain infrastructures, and then impose strict data management workflows on themselves and any cloud service providers in order to protect their taxation rights.//(( |
| - | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]]// | + | Jullian Box, |
| + | __Data Sovereignty vs Data Residency vs Data Localization__, | ||
| + | 12 March 2019, | ||
| + | Accessed: 6 October 2021, | ||
| + | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]] | ||
| + | )) | ||
| ==== Data Sovereignty ==== | ==== Data Sovereignty ==== | ||
| - | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect| Return to Top]] | + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start| Return to Top]] |
| - | : //**Data Sovereignty** differs from Data Residency in that not only is the data stored in a designated location, but is also subject to the laws of the country in which it is physically stored. This difference is crucial, as data subjects (any person whose personal data is being collected, held or processed) will have different privacy and security protections according to where the data centers housing their data physically sit.// | + | : //**Data Sovereignty** differs from Data Residency in that not only is the data stored in a designated location but is also subject to the laws of the country in which it is physically stored. This difference is crucial, as data subjects (any person whose personal data is being collected, held, or processed) will have different privacy and security protections according to where the data centers housing their data physically sit.// |
| - | : //This difference is also crucial for businesses, as a government’s rights of access to data found within its borders differ widely from country to country. This is where data sovereignty and residency are often conflated. Ensuring data sits within a geographical location for whatever reason - whether avoiding or taking advantage of laws, regulations and tax regimes, or even for pure preference and comfort - is a matter of Data Residency. But the principle that the data is subject to the legal protections and punishments of that country is a matter of data sovereignty.// | + | : //This difference is also crucial for businesses, as a government’s rights of access to data found within its borders differ widely from country to country. This is where data sovereignty and residency are often conflated. Ensuring data sits within a geographical location for whatever reason - whether avoiding or taking advantage of laws, regulations, and tax regimes, or even for pure preference and comfort - is a matter of Data Residency. But the principle that the data is subject to the legal protections and punishments of that country is a matter of data sovereignty.// |
| - | : //They are clearly related, and even two sides of the same coin, but one is a matter of national legal rights and obligations, while the other is a matter of geography. Recognizing this distinction will help professionals better prepare for compliant data management and exchange. | + | : //They are clearly related, and even two sides of the same coin, but one is a matter of national legal rights and obligations, while the other is a matter of geography. Recognizing this distinction will help professionals better prepare for compliant data management and exchange.//(( |
| - | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]]// | + | Jullian Box, |
| + | __Data Sovereignty vs Data Residency vs Data Localization__, | ||
| + | 12 March 2019, | ||
| + | Accessed: 6 October 2021, | ||
| + | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]] | ||
| + | )) | ||
| ==== Data Localization ==== | ==== Data Localization ==== | ||
| - | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect| Return to Top]] | + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start| Return to Top]] |
| : //**Data Localization** is the most stringent and restrictive concept of the three, and like data sovereignty, is a version of Data Residency predicated on legal obligations. It is also the concept that is growing the fastest internationally.// | : //**Data Localization** is the most stringent and restrictive concept of the three, and like data sovereignty, is a version of Data Residency predicated on legal obligations. It is also the concept that is growing the fastest internationally.// | ||
| - | : //Data Localization requires that data created within certain borders stay within them. In contrast to the two terms above, it is almost always applied to the creation and storage of personal data, with exceptions including some countries’ regulations over tax, accounting and gambling.// | + | : //Data Localization requires that data created within certain borders stay within them. In contrast to the two terms above, it is almost always applied to the creation and storage of personal data, with exceptions including some countries’ regulations over tax, accounting, and gambling.// |
| : //In many cases, Data Localization laws simply require that a copy of such data be held within the country’s borders, usually to guarantee that the relevant government can audit data on its own citizens (provided there is due cause) without having to contend with another government’s privacy laws. India’s draft Personal Data Protection Bill is an example of exactly this (you can see more discussion of the Bill in our Director of Data Privacy Services’ blog here).// | : //In many cases, Data Localization laws simply require that a copy of such data be held within the country’s borders, usually to guarantee that the relevant government can audit data on its own citizens (provided there is due cause) without having to contend with another government’s privacy laws. India’s draft Personal Data Protection Bill is an example of exactly this (you can see more discussion of the Bill in our Director of Data Privacy Services’ blog here).// | ||
| - | : //However, there are countries where the law is so strict as to prevent it crossing the border at all. For instance, Russia’s On Personal Data Law (OPD-Law) requires the storage, update and retrieval of data on its citizens to be limited to data center resources within the Russian Federation. | + | : //However, there are countries where the law is so strict as to prevent it from crossing the border at all. For instance, Russia’s On Personal Data Law (OPD-Law) requires the storage, update, and retrieval of data on its citizens to be limited to data center resources within the Russian Federation.//(( |
| - | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]]// | + | Jullian Box, |
| + | __Data Sovereignty vs Data Residency vs Data Localization__, | ||
| + | 12 March 2019, | ||
| + | Accessed: 6 October 2021, | ||
| + | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]] | ||
| + | )) | ||
| + | |||
| + | ===== Geographic Jurisdiction Concerns ===== | ||
| + | [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start| Return to Top]] | ||
| + | |||
| + | The main emphasis of Julian Box's article is on Cloud Computing(( | ||
| + | Jullian Box, | ||
| + | __Data Sovereignty vs Data Residency vs Data Localization__, | ||
| + | 12 March 2019, | ||
| + | Accessed: 6 October 2021, | ||
| + | [[https://www.insightsforprofessionals.com/it/storage/data-sovereignty-data-residency-data-localization]] | ||
| + | )), however, many of the concerns and issues he raises are pertinent to Distributed Computing since the data within the distributed solution potentially can reside anywhere, especially with a [[dido:public:ra:1.2_views:3_taxonomic:2_network_access_ctrll:permisionless | Permissionless Network]]. | ||
| + | |||
| + | He suggests as a starting point for Cloud Computing, try applying the distinctions between [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start#data_residency|Data Residency]], [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start#data_sovereignty|Data Sovereignty]] and [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:06_protect:start#data_localization|Data Localization]] to the following questions about your distributed system: | ||
| + | <WRAP> | ||
| + | * When [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_motion| In-Motion]], which jurisdictions does your data pass through? | ||
| + | * When [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use| In-Use]], which jurisdictions have access to the distributed data. In other words, where are the Consensus Algorithms run? | ||
| + | * When [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_at_rest| At-Rest]]: \\ | ||
| + | ♦ Where are each of your various categories of data (personal data, financial records, etc) created or processed and what obligations might this bring? \\ | ||
| + | ♦ Where is it then stored, and who owns the data center? Your data may be in a data center in the UK, but if this data center is owned by a US-headquartered company, then the US Government may have the right to access your data under the CLOUD Act. \\ | ||
| + | ♦ What are your procedures for backup? Where is your data backed up to? According to the type of data in question, what local stipulations exist for the security or encryption of that data? \\ | ||
| + | ♦ How confident are you in your cloud partner(s) understanding of current and future data privacy regulations? How have they evidenced that their data centers meet all your local and global privacy needs, or have you assumed it? | ||
| + | </WRAP> | ||
| + | <color blue><todo @char #char:2022-03-22>New Section -- review </todo></color> | ||
| /**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | /**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | ||
dido/public/ra/1.2_views/3_taxonomic/4_data_tax/06_protect/start.1633452634.txt.gz · Last modified: 2021/10/05 12:50 by nick
