Does your provider store your data in the UK?
Most business leaders say yes and stop there. The problem with this is that location is only one part of the story and arguably the less important part at that.
Confusing data residency with data sovereignty is one of the most common compliance blind spots we see among UK businesses. The terms sound similar, and vendors often use them interchangeably in sales conversations whether you’re speaking to a global hyperscaler or an IT company in Manchester. But they describe fundamentally different things, with very different legal implications.
What is Data Residency?
Data residency refers to the physical location where data is stored. When a cloud provider says your data is hosted in a UK data centre, they’re making a statement about geography. Your files, databases, and backups sit on servers in a specific country.
This matters for performance, latency, and meeting certain regulatory requirements that specify where data must be stored at rest. Some sectors – particularly financial services and healthcare – operate under rules that prohibit data from leaving a defined geography. Data residency controls are how organisations satisfy those rules.
But residency says nothing about who governs that data, who can access it, or which courts can compel its disclosure.
What is Data Sovereignty?
Data sovereignty goes further. It refers to the legal jurisdiction that governs your data. Specifically, whose country’s laws determine who can access it, under what circumstances, and with what protections in place.
For UK businesses, the relevant framework is UK GDPR and the rules on international data transfers, enforced by the Information Commissioner’s Office (ICO), alongside the Data Protection Act 2018. These laws govern how personal data is processed, transferred, and protected. True data sovereignty means your data sits entirely within that legal framework, not just physically on UK soil.
The distinction becomes critical when your cloud provider is a US-headquartered company operating servers in the UK. The data may be resident in the UK. But sovereignty may tell a very different story.
The Key Differences at a Glance
Data Residency
Data Sovereignty
Definition
Where data is physically stored
Which laws govern access and control
Focus
Geographic location
Legal jurisdiction
Guarantees
Physical location of data at rest
Legal rights over that data
Risk if absent
Latency, sector non-compliance
Exposure to foreign legal demands
Determined by
Data centre location
Provider’s country of incorporation
In short:
- Data residency tells you where the data lives.
- Data sovereignty tells you who can compel access to it and under which country’s laws.
- A provider can offer one without the other.
Why This Distinction Matters: The CLOUD Act Problem
Consider a Manchester-based professional services firm that migrates to a major US cloud provider’s UK region. On the surface, every compliance box is ticked: data is stored in a British data centre, the contract references UK GDPR, and the provider is ISO 27001-certified.
Then US law enforcement serves a warrant under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. This piece of US legislation, passed in 2018 and signed into law as part of the Consolidated Appropriations Act, gives American authorities the power to compel US companies to hand over data stored anywhere in the world, including UK data centres, regardless of where that data physically sits.
The cloud provider is a US corporation. Its UK subsidiary operates under the US parent company’s jurisdiction. The data is resident in the UK, but sovereignty has never fully transferred. When the request arrives at the provider’s US headquarters, there is no requirement to inform your business, and UK courts have no jurisdiction to block it.
This is something that applies to any business using a US-headquartered cloud provider, regardless of what the contract says about UK data centres or GDPR compliance. IT consulting firms in Manchester and the wider North of England are seeing this become a more common conversation as clients face tighter compliance scrutiny from customers and auditors. For any Manchester business working with an IT consultancy on cloud migration, sovereignty should be on the agenda from day one.
How This Should Shape Your Cloud Decisions
When evaluating cloud providers – whether for infrastructure, hosted applications, or backup – these are the questions you should ask:
- In which country is the provider legally incorporated?
- Can foreign authorities compel data disclosure without notifying you?
- Does the provider operate exclusively under UK or EU jurisdiction?
- Do you hold your own encryption keys, or does the provider?
- What does the contract say about responding to third-party legal requests?
Businesses that handle sensitive client data – legal practices, financial advisers, accountants, healthcare providers – carry the greatest risk from an unmanaged sovereignty gap. The ICO expects organisations to implement “appropriate technical and organisational measures” under UK GDPR Article 28. Choosing infrastructure that creates jurisdictional vulnerabilities may itself be interpreted as a failure to meet that standard.
A properly sovereign cloud solution is one where the provider is incorporated and operates exclusively under UK jurisdiction or where customer-managed encryption keys mean that any compelled disclosure would yield nothing usable. When choosing an IT provider in Manchester, asking that question upfront – before contracts are signed – is the difference between a compliant cloud strategy and one with a hidden liability. Firms reviewing their cloud infrastructure should treat sovereignty as a procurement requirement, not an afterthought.
Common Misconceptions
- “If the data is in the UK, it’s fully protected by UK law.” Not if your provider is incorporated in a country whose laws extend extraterritorial reach over its subsidiaries.
- “Data residency equals data sovereignty.” Residency is about physical location. Sovereignty is about legal control. A provider can offer both or only one.
- “Our contract guarantees UK data protection.” Contracts govern the commercial relationship between you and the provider. They do not override the domestic laws of the country where the provider is headquartered.
- “We’re too small to be a target.” CLOUD Act requests are directed at cloud providers, not individual businesses. The relevant exposure is the provider’s, and it scales with their US operations, not your company’s size.
What to Do Next
Most UK businesses discover their sovereignty gap at the wrong moment. This might be during a compliance audit, a client due diligence process, or when they receive a data request they weren’t expecting. The conversation is far easier to have before any of those.
If you’re not certain whether your current cloud infrastructure provides genuine data sovereignty, or if you’re comparing IT services in Manchester and want to understand the sovereignty implications before you commit, Cloud Geeni can help. Our managed IT support services are built around UK-based, ISO 27001-certified data centres, operating under British jurisdiction. We work with businesses across Manchester, Liverpool, Leeds, and the North of England to ensure their cloud environments are compliant, secure, and properly sovereign.
Speak to our team to understand exactly where your data sits and what that means for your obligations.
