Domain 3 · 3.3 Protecting Data

3.3.3 Data Sovereignty & Geolocation

17 min

Data sovereignty and geolocation refer to the legal and physical constraints placed on data based on its geographic storage location and the jurisdiction of the governing body.

Data Sovereignty and Compliance Data sovereignty is the principle that data is subject to the laws of the country in which it is physically located. This creates significant compliance challenges for multinational corporations moving data across borders. - GDPR (General Data Protection Regulation): A major EU regulation governing how PII (Personally Identifiable Information) must be handled, emphasizing user privacy and data portability. - Jurisdiction: The legal authority that has the right to monitor, seize, or regulate data. - Data Residency: Often used interchangeably with sovereignty, it refers specifically to the physical location (geographic coordinates) where data is stored.

GDPR and Data Roles The CompTIA Security+ exam focuses on specific roles responsible for managing sensitive information under regulatory frameworks like GDPR. - Data Owner: Usually the organization or entity that holds legal rights (copyrights/trademarks) to the data. They delegate day-to-day tasks but remain ultimately responsible. - Data Controller: The entity that determines the why and how of data processing. They ensure the data complies with legal protections and privacy regulations. - Data Processor: A third party or system that acts on behalf of the controller. They perform the actual technical handling of data but do not own or control its purpose. - Data Custodian: The individual responsible for the technical environment, including backups, encryption, and data integrity.

Data Sensitivity and Impact Organizations must classify data to apply appropriate security controls. The sensitivity of data is often measured by the impact of its loss or exposure. - Classifications: Common levels include Public, Private, Sensitive, Confidential, and Critical. - Impact Levels (NIST FIPS 199): - High: Loss causes catastrophic impact to the organization (e.g., total loss of reputation or financial viability). - Moderate: Loss causes serious adverse effects. - Low: Loss causes limited annoyance or minor financial impact. - Consequences: Data breaches and exfiltration lead to reduced productivity, financial penalties (fines), and severe reputational damage.

Quick recall - Sovereignty: Data is bound by the laws of its physical location. - Data Controller: Makes the rules for data use (GDPR specific). - Data Processor: Follows the controller’s rules to manipulate data. - Data Custodian: Manages the technical implementation and storage. - Exfiltration: The unauthorized transfer of data from a system.