Your information is at the crux of the issue of data sovereignty. Where is your information? Who has access to the information? Do you have control of your information in each country, or does the government also have access (and control) of your data?Oracle describes how \u201cthe exponential growth of data crossing borders and public cloud regions [has seen], more than 100 countries now have passed regulations.\u201d There is no one-size-fits-all set of rules and therein lays the conundrum for CISOs, especially those whose customer base or digital infrastructure crosses political boundaries.In a paper published on August 3, Professor Susan Ariel Aaronson of George Washington University commented how under the guise of digital sovereignty, \u201cgovernments are seeking to regulate commercial use of personal data without enacting clear rules governing public sector use of data.\u201dIn a 2020 \u201cideas paper,\u201d the EU described digital sovereignty as \u201cEurope's ability to act independently in the digital world and should be understood in terms of both protective mechanisms and offensive tools to foster digital innovation (including in cooperation with non-EU companies).\u201dThe EU\u2019s GDPR has effectively forced a sea change, not only for EU-centric companies, as Kim Chan, CEO of DocPro notes, \u201cthe GDPR being an EU regulation, organizations all around the world have scrambled to comply with it. This is because the GDPR is applicable not only within the EU but also applies to entities that offer goods and services and collect and process the data of EU customers.\u201dThe interest in securing citizens\u2019 data is universal. The African Union is working to catch up with the development of a unified common data system. The goal is to \u201cregulate the ever-increasing production and use of data across the continent, whilst creating a safe and trustworthy digital environment that supports the development of a sustainable and inclusive Arica digital economy and society.\u201dStephen Boyce, senior advisor to the International Foundation for Electoral Systems (IFES) reflected on the IFES experience, given their non-profit has offices in over 20 countries, characterizing complying with the data sovereignty laws of each country to be \u201cchallenging.\u201d He continued how the need to account for the more understood laws, GDPR, and the one-offs as they pop up, means "our team has to go to the drawing board to think through how it will impact our operations.\u201dThe looming question that all CISOs and managed security service providers (MSSP) must be able to answer is, \u201cWhere is the data?\u201dAvoiding data sovereignty violationsThose companies who are putting their data into the cloud must realize that not all providers are created equal and one must do their due diligence to ensure they avoid storing data in places with data sovereignty laws. Daniela Sawyer of FindPeopleFast, speaking from firsthand experience, found that \u201cverifying that data exists only at allowed locations is difficult. It requires the cloud customer to trust that their cloud provider is completely honest and open about where their servers are hosted and adhere strictly to service level agreements (SLAs).\u201dIt isn\u2019t just the smaller companies having issues. In May 2021, the EU\u2019s European Data Protection Supervisor opened a probe into how entities within the EU were using both AWS and Azure to answer the question: Are they adequately protecting the privacy of their users?Expect data sovereignty to increase OPEX Operating expenses are being impacted by data sovereignty. Attila Tomaschek of ProPrivacy commented, \u201cAdditional ongoing expenditures include continuous staff training on cybersecurity best practices, investment in new technologies and network monitoring tools, and bringing on additional personnel such as a data protection officer, compliance officer, or other staff dedicated to securing business data and complying with data sovereignty laws.\u201dA similar view is shared by Jesse David Th\u00e9, CEO of Tauria, who shared how his entity navigates through GDPR: \u201cWe need to show a specific data trail of how we obtained someone's contact information. They have a right to be forgotten from our system and we must have explicit permission to send them marketing emails. This data exists within our walled garden, and we can't share it with any of our partners for example. Neither can a partner share client contact information with us unless the client gives permission.\u201dTh\u00e9 noted how the need to comply drove their OPEX up and was instrumental in the decision to hire \u201ca CIO to help us ensure our GDPR compliance.\u201d He continued how small companies will need to budget for this.\u00a0Infosec must evolveAnderson Lunsford, CEO of BreachRx noted how breach notification requirements are changing with insurance companies requiring near real-time notification of breaches or compromises. The insured that fails to do so puts coverage of its claims at risk. Lunsford also observed how companies may have incident response plans put together by information security professionals on paper, yet far too many never practice the scenarios outlined, nor\u00a0 have they incorporated the requirements of the various privacy laws.Lunsford notes one salient aspect of breach response, especially when considering penalties imposed upon companies: \u201cThe companies that are penalized the most aren\u2019t necessarily those with the biggest breaches, but those that don't handle the response work well. Regulators have been increasingly vocal about their views in this regard. It is well-accepted in the security and privacy industries that incidents will happen to all organizations (it's not if, but when). Regulators and customers expect companies to be prepared for these inevitable situations and respond timely and appropriately.\u201dPenalties come, and some come at you hard. Law firm Morrison & Foerster\u00a0(MoFo) in a recent Privacy Minute newsletter shared how businesses in and outside of Russia have received queries asking the companies to confirm that they store the personal data of Russian citizens in Russia. Google\u2019s Russian experience is worthy of approbation. In late July \u201ca court in Moscow fined Google 3 million rubles ($40,750) for the US technology giant's refusal to localize the personal data of its users in Russia.\u201dIn India, credit card companies are apparently finding India\u2019s data privacy laws difficult to navigate. MasterCard was the most recent entity to be barred from accepting new customers in India due to allegedly being noncompliant. MasterCard was preceded by American Express and Diners Club with the Reserve Bank of India (RBI) booting all three indefinitely from issuing new credit or debit cards within the Indian domestic market. RBI alleges they violated data storage rules.\u201cThe disparate and myriad data sovereignty laws around the globe necessitate clearer views into data flows, but to date, there is no one, easy way for large enterprises to achieve full visibility and monitoring,\u201d says Katie Teitler, vice president of research and advisory at TAG Cyber. \u201cNewer tools are coming on the market to help, but at least for the foreseeable future, a lot of time and money will be spent on compliance.\u201dSuffice it to say, the view over the horizon sees a good deal of heavy lifting for CISOs and their teams.