Cloud migration and data sovereignty: A guide to thriving amid complexity

23rd June 2023

Customer data is the lifeblood of business, and its value cannot be underestimated, especially in today’s world where customers interact across various channels, devices, and locations. Cloud technology provides an efficient and scalable solution to collect, analyse, and store massive amounts of data that can be used to optimise products and customer experience, identify patterns, and enhance performance and operational productivity.

However, alongside its value, cloud technology also presents some challenges for businesses. High among the list of those challenges is the need for compliance and regulatory alignment when it comes to data security.

Cloud technologies have impacted the level of control over customer information. The use of cloud platforms/services means companies relinquish data custody to the provider, which is a significant concern for cloud users. Additionally, data stored in the cloud can be easily transferred across international borders, which poses a challenge for companies.

This blog outlines common data security issues for businesses deploying cloud-based technologies and demonstrates how you can potentially mitigate and resolve these challenges.

Cloud data residency issues

Data residency can be defined as “the set of issues and practices related to the location of data and metadata, the movement of (meta)data across geographies and jurisdictions, and the protection of that (meta)data against unintended access and other location-related risks”.

Cloud technologies can have a considerable impact on data residency, especially for global companies and those with rigorous regulations like insurance, finance, and healthcare. For example, data residency issues could arise in the following situations:

  • A company stores or transmits the personal data of EU citizens in/via a cloud data centre located outside of the EU, it may not be compliant with GDPR regulations.
  • Similarly, if a company in the UK uses an IT helpdesk or BPO solution located outside of the EU this could present challenges with data regulations that span multiple countries and risk arises as helpdesk advisors could have access to protected information to perform their service.
  • Large multinational companies wish to consolidate data centres from multiple countries into a smaller set of locations (data centre consolidation).
  • Organisations migrate some/all their services to the cloud or to a hosted solution managed by a 3rd party company located in another country.

To mitigate these risks, consideration must be given to how data is stored, transferred, and used:

For the storage of data (data at rest) – one of the first steps in compliance is deciding where data will be stored. The use of the cloud is more challenging but complying with a few best practices can greatly reduce the burden. Companies that use the cloud often meet requirements by storing data across multiple locations. This should be guided by accurate information from cloud service providers to help companies choose the most favourable regions for storage according to the regulatory requirements in each.

For data transfer (data in transit) and data in use – companies must ensure compliance with data sovereignty on both ends — the country of origin and the destination. It helps to carefully review the laws in each region and adjust the process accordingly. Because data in transit and in use is susceptible to attack, security protocols such as encryption and access control should be deployed during the process.

The global state of data sovereignty

Global companies that use cloud computing need to carefully consider data residency laws and regulations in each country where they operate. Just recently, the EU Data Protection Commission (DPC) slapped a record €1.2 billion fine on Meta (on Monday 22 May 2023) and ordered it to stop moving EU personal data to the United States in a landmark decision that found such data transfers illegal.

This has not been the only fine of its kind, Amazon was previously fined €746 million by Luxembourg and the DPC also imposed four fines against Meta’s platforms Facebook, Instagram, and WhatsApp ranging between €405 million and €225 million in the past two years.

As data regulation legislation becomes more prominent, more and more countries are introducing and invoking new laws to protect their citizens and the risks of cyber attacks. Companies impacted by these changes are responsible for keeping up with these new laws because they impact domestic and international businesses. Additionally, new technologies like machine learning (ML), the Internet of Things (IoT), and artificial intelligence (AI) increase the potential for cyber attacks.

In 2021 alone, there were numerous revisions to data protection regulations that have been implemented by various countries such as China, Russia, Saudi Arabia, Turkey, Kuwait, the UAE, Uzbekistan, and Kazakhstan. Additionally, India, Indonesia, and Vietnam introduced comprehensive data protection bills.

The United Kingdom has been in the process of consolidating its data protection laws post-Brexit, as the EU granted a 4-year grace period for compliant data flows. The combined efforts of EU nations under the GDPR, along with the aforementioned countries, entail that the majority of the world’s 30 largest economies now have some form of data protection regulations in place. Regulatory drivers include data privacy concerns, nationalism, and the economic value of data:

Numerous countries have implemented their own data protection regulations, including data localisation laws that limit cross-border data transfers and require sensitive data to be kept within the country of origin. This has resulted in concerns among observers that the internet may soon become fragmented, with each country operating in its own isolated bubble.

While data protectionism could have negative consequences, such as hindering global and domestic economic growth, the increase in data localisation policies does not necessarily indicate a segmented internet is imminent.

As governments continue to grapple with matters of internet freedom and protection, the actions taken over the last few years regarding data legislation are likely to be viewed as a significant milestone in this ongoing struggle.

How can businesses mitigate data residency risks?

Data residency compliance is not a new challenge for many companies, but it can be a complex and challenging task, especially as data protection laws and cloud technologies continue to evolve and change. At Davies we have supported numerous companies procure global cloud solutions, such as CCaaS and CRM and have expertise and proven methodologies to reduce the risks associated with such procurements.

If you are considering migrating, consolidating, or moving services to the cloud, there are numerous considerations and risk mitigations you can focus on when procuring cloud-based technologies to avoid common pitfalls and overcome potential challenges:

Bring in your data experts early into the procurement process

To ensure the cloud provider has the necessary controls in place to meet your company’s residency requirements. Early collaboration between parties i.e., at the RFP stage can identify issues and resolutions before they start to impede contracting agreements and solution implementation. You will need expert legal advice to ensure your solution meets your requirements.

Know your data

Assess how sensitive it is to its physical location. Know what kind of data is being collected, used, processed, stored, transferred, backed up or otherwise managed on your IT systems. Be prepared to discuss and document data residency and transfer issues with any vendor. In the case of cloud services, a cloud services agreement should explicitly specify where data is going to be stored, transferred, and managed in transit and at rest.

Do not ignore the support model

A common pitfall of cloud-based technologies not meeting a global company’s data residency requirements is the vendor/partner support model. For a vendor/support partner to provide a 24/7/365 support model, they will often use offshored resources to provide the follow-the-sun model.

Depending on the technology being supported, tickets being sent to help desk handlers could contain customer data, or the platform itself could allow access to customer data, therefore you need to carefully think about how data within tickets or the support model processes and access to the platform are handled.

Be mindful of sub-processors

As often found with cloud-based solutions such as CCaaS, there will likely be multiple 3rd party vendors providing underlying infrastructure, functionality or services. This means when you enter a contractual agreement with the primary solution provider, you will also be signing up to any sub-processor agreements included within the service, including agreements for data processing. This can often lead to complications and require a lengthy review process to ensure your data residency requirements are satisfied.

Do not let data residency “fear” be a reason to resist the adoption of cloud solutions

There is a risk of paralysis resulting from an attempt to avoid any risk surrounding data residency. An organisation may incur higher costs or delays in procuring solutions if it overestimates the issues. Managing risks does not mean eliminating them completely, but it means applying sound risk management methodologies and solutions to assess and mitigate risks until the residual risk is deemed acceptable

Have a data migration plan

Before you start the migration process. Make an inventory of data to help identify gaps in your data or potential issues that may arise. Not all data may be necessary or relevant for your new solution, and it’s important to only bring what is needed to avoid clutter and confusion.

Focus on the vendor storage, networking, and hosting infrastructure

If you have localised data residency requirements, be sure the vendor can provide hosting for your requirements. Whilst many vendors have global location options for data centre architecture and storage, there may be underlying processes that cannot be localised i.e., the need to transfer data outside of the region. Additionally, if you require your workforce to be able to communicate and work together globally, ensure your requirements are clear, as a disparate localised architecture approach could, in turn, mean your workforce operation will also have to be disparate.


Many Cloud providers have practices to ensure their services comply with regulations such as EU GDPR, UK Data Protection Act, PCI & HIPAA. They will likely perform regular compliance audits, provide customers with detailed information about their compliance status, and offer features like data deletion and retention policies that help customers comply with regulations.

However not all clients have the same requirements, some may have specific contractual obligations and/or have a mix of country or industry regulations that cannot be met “out of the box”.

Overall, the customer has the primary responsibility to understand its data and to choose services that will meet both its business needs and the applicable regulatory requirements. Thoroughly investing in best practices could help your organisation boost its digital transformation efforts while mitigating data residency risks.

In conclusion, cloud-based technologies have revolutionised the way businesses operate, but data sovereignty remains a critical aspect to ensure compliance and protect sensitive customer information. Companies must take proactive measures to implement the necessary controls and seek expert advice to mitigate data residency risks and remain compliant with the regulatory environment.

If you are considering migrating, consolidating, or moving services to the cloud, please reach out to Jessica Alexander and David Ilett to discuss how Davies can support you.

    Keep up to date with Davies