Skip to content
Data lock

Geography and ownership risks for owners

Last Updated 17 February 2022

Where your data is stored

Some governments mandate easy access to privately held information in data centres within their countries. Here are two examples:

Case study

Russia’s System of Operative Search Measures (SORM) allows Russia’s domestic intelligence agency, the Federal Security Service (FSB), to covertly monitor communications to, within, and out of Russia. The FSB can also compel companies and individuals to share data stored in Russia with them and could prevent the data holder from disclosing this to the data owner. All communication service providers (CSPs) operating in Russia are obliged to install equipment to enable the FSB to monitor communications. The FSB is not obliged to provide CSPs or commercial companies with any details of their monitoring by SORM. This may mean that you are unaware of how your sensitive communications and information may be used outside your commercial engagements in Russia or with Russian individuals and companies.

Case study

China’s National Intelligence Law (NIL) allows Chinese intelligence agencies to compel Chinese organisations and individuals to carry out work on their behalf and provide support, assistance and co-operation on request. This law may affect the level of control you have over your information and assets as you engage with Chinese individuals and organisations.

UK GDPR considerations

The UK General Data Protection Regulation (GDPR) sets out key principles which data controllers and data processors must comply with when processing personal data, including restrictions on personal data being transferred out of the UK unless the jurisdiction has adequate levels of data protection or there are appropriate safeguards in place. Failure to comply with the principles of the UK GDPR can result in substantial fines – up to 4% of your company’s total worldwide annual turnover, or up to £17.5 million (whichever is higher) in the most serious cases, as well as potentially damaging your reputation.

Read the ICO’s latest guidance on GDPR.

Foreign direct investment

If a data centre is open to foreign direct investment (FDI), shareholders from a country hostile to the UK may be able to gain greater influence over operational decisions, including security-related ones. This may increase the risk posed to your infrastructure and/or data should shareholders be linked to or pressured by their domestic government, which may be hostile to UK interests. CPNI, the NCSC and the Department for Business, Energy and Industrial Strategy (BEIS) have produced joint guidance on making informed decisions with regards to foreign investment and how this will work under the new National Security and Investments Act compliance regime.

Did you find this page useful? YesNo
Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.