Data sovereignty refers to the principle that data is subject to the laws and governance of the country in which it is stored or processed. As organizations move workloads to cloud providers, data may physically reside in multiple jurisdictions simultaneously with different legal requirements.
The EU’s GDPR is the most prominent example. European citizen data must be handled according to GDPR requirements regardless of where the company processing it is headquartered.
CISSP Relevance
Data sovereignty is addressed in Domain 1 (Security and Risk Management) and Domain 2 (Asset Security). CISSP candidates must understand how jurisdictional requirements affect data classification, storage decisions, and cloud architecture choices.
External reference: FTC International Data Transfer Guidance
Related terms: Data Classification, Compliance