How startups can ensure data protection and data sovereignty compliance in the cloud

Victoria Oresanya
15 Jun, 2022 - 0 Comment(s)

An increasing number of businesses are moving their data and workloads to the cloud. This is happening because the cloud offers them numerous benefits. It lets them access their data from wherever they are, scale resources quickly, utilize unlimited storage capacity, and effectively manage operating expenses. 
The cloud isn’t just intangible space. It is supported by physical infrastructure, i.e. servers housed in data centers. Data stored in the cloud is held in these physical locations. There are thousands of these data centers spread across the world, with each one holding huge amounts of data.
Governments are becoming interested in what happens to the data kept in these sites. They are specifically concerned about exerting control over data that’s housed within their country’s borders. They also want to ensure that their citizen’s data doesn’t fall into the hands of hostile actors, such as cybercriminals and rogue states. So they are instituting laws that enable them to exercise sovereignty over data kept within their territory, and introducing legislation that protects their citizen’s data, especially those held in cloud environments. 
Startups maintain and work with a lot of data, including those of their customers and partners. As such, they are expected to comply with the data protection laws and data sovereignty laws of the country in which they operate. This requirement is becoming more important to startups, as more of them transition to the cloud.
In Nigeria, the Federal Government expects businesses active in the local market to adhere to the Nigerian Data Protection Regulation (NDPR). It was issued in 2019 by the National Information Technology Development Agency (NITDA), and is the primary data protection law of the country. There are others, including the Cybercrimes Act 2015, the National Identity Management Commission Act 2007, and the National Cybersecurity Policy and Strategy 2021.
These laws define the rights of persons whose data are collected, held, or processed by organizations. They also address the duties of and restrictions on data controllers and data processors, and the movement of data to foreign territories. 
Ordinarily, the existence of these laws should not pose difficulties for businesses. But things become complicated when startups hold their data in multiple countries. Each of these locations may have their own data protection and data sovereignty legislation, with differing and sometimes contradictory requirements. Such a situation quickly becomes a nightmare for the startups concerned.
This isn’t merely a hypothetical scenario. Many startups do have their users’ data domiciled in more than one country. This often happens because their cloud service provider houses the data on foreign soil. The startups in question may not even be aware of this. But their lack of knowledge of the situation doesn’t keep them from bearing the consequences if the authorities in the host country determine that they have violated its laws.
The consequences for falling afoul of data protection rules can be quite severe. In Nigeria, the NDPR stipulates that if a data controller suffers a data breach, they may have to pay a fine of up to 2% of the annual gross revenue that they recorded in the previous year, or a sum of ₦10 million (whichever is higher). Even stiffer fines apply elsewhere in the world. In Europe, the General Data Protection Regulation (GDPR) empowers authorities to impose a fine of up to 4% of the offending company’s global turnover, or €22 million—whichever is greater.
Larger corporations may be able to pay these charges. But the fines could cripple startups. To avoid this, startups need to know where their data (or their customer’s data) is kept. They also have to find out what data protection and sovereignty laws apply in those places. Finally, they need to be sure that their cloud service provider adheres to those laws. If their cloud vendor fails to comply with the law, they, as well as the startups that use them, could face harsh punishments.
Startups may do what they can to stay on the right side of the law. They could engage in-house and external legal experts, study the laws in the various jurisdictions in which their data is housed, and try to be as fair as possible in their handling of personal data. However, the complexities of the multiple rules they have to abide by may prove overwhelming for them.
A more realistic solution for startups would be for them to keep their data in a single country—preferably with a cloud service provider that houses data locally. This way, startups will only have to bother with a single set of legislation. It will be easier for them to implement measures that protect their users’ data, and keep them in line with data sovereignty requirements.
Many cloud vendors are secretive about where they house their clients’ data. It’s best to avoid such firms. To stay on the safe side of the law, startups should only engage cloud service providers that are transparent about where they keep data. By insisting on this, they can narrow down their options to just a handful of honest providers.
One of the widely-trusted cloud service providers in this category is Layer3Cloud. They have a broad client list which includes businesses in several industries, public sector agencies, and non-governmental organizations. Their data centers are located in Lagos and Abuja, and clients can host their hardware in them. They also promise that these locations are secure (they have biometric and electronic access control) and come with round-the-clock on-site support for clients.    
Layer3Cloud offers cloud backup and disaster recovery, object storage, and colocation services to startups in Nigeria. It also provides virtual servers and virtual data centers, and assists businesses that intend to migrate to the cloud. It is open to consultations as well, for organizations that seek solutions tailored to their specific needs.
Startups are right to be concerned about data protection and data sovereignty laws. Complying with these regulations could be the difference between retaining their customer’s trust and tarnishing their public reputation. While they may want to stay on top of the evolving rules concerning personal and general data in multiple jurisdictions, they will be better able to manage things if they host all their sensitive data closer to home.