Governing factors in data sovereignty on the road ahead

Now is a timely moment to delve into the digital dilemmas thrown up by data sovereignty, and look into some of the current projects, protocols and processes now impacting the way we work in order that we can accommodate for information compliance in the face of new rulings and legislation.

Blue Technology Digital Highway background

In this world, sovereignty is supreme. In all matters relating to royalty, we always consider sovereignty as the pinnacle of power and authority, whether we ourselves are royalists or not.

In the realm (pun not intended) of information technology, sovereignty and, in particular, data sovereignty is also supreme. Variously described as an idea, a concept, a policymaking stipulation and sometimes as a core principle of data security, today we understand data sovereignty to form a key guidance role in the globally networked world of cloud computing.

In simple terms, data sovereignty is the process by which we ensure that digital data is subject to the laws of the country in which it is processed, analysed, stored, housed and managed.

Geopolitical gyrations

Although data sovereignty made a lot of headlines during the Snowden revelations almost a decade ago, it remains in the cultural psyche of many multinational corporations today due to current geopolitical gyrations and instabilities across world markets in the wake of the pandemic.

That being said, even outside of the maelstrom of forces inside the geopolitical vortex now interplaying with post-Covid realities, the global explosion in data alongside the breadth and width of international commerce pipelines today all compel us to drive towards a new level of government-approved data oversight.

One man who knows this space well is director of digitalisation strategy at Tibco, Alessandro Chimera. Having studied the GAIA-X project closely, Chimera reminds us that this work means Europe has started an initiative to create a new approach to ensuring digital sovereignty in response to cloud hegemonies centred around US and Chinese mega-cloud platforms.

“GAIA-X is considered the next-generation cloud for Europe. The idea behind the new platform is that the system would see various suppliers of cloud services linked up via an interoperable data exchange that would act as a vessel for data across industries.

It will also act as a repository that businesses can search when looking for specific data services, such as Artificial Intelligence (AI), Internet of Things (IoT), analytics and big data,” explained Tibco’s Chimera.

GAIA-X will make it easier for businesses across various industries – such as healthcare, agriculture, finance, energy and public services – to exchange data and realise not only data sovereignty but also data availability and data innovation; it’s a win-win-win situation, all three at the same time.

Given the work achieved and our discussion here thus far then, what other factors should C-suite executives be aware of when we think about rulings such as the US Cloud Act Agreement, the European Schrems II judgement and their implications on data exchange and storage?

The innovation imbalance

According to Chimera, organisations need to act now in light of the above contextualisation of our situation and, crucially, they need to do so based upon a stark imbalance that every one of us experiences given the nature of the cloud’s very structure.

“It’s a simple equation, companies need to leverage data in the cloud and do so at scale; because the mega-cloud hyperscalers are primarily based in the USA and China, there is an inherent imbalance where these firms have an outsized impact on innovation,” he said.

“Where these imbalanced behemoths fail to meet EU, UK and other European data privacy stipulations, we risk architecting with modular DNA structures that may almost inevitably decay or fracture. This is a situation that, for now at least, is going to get worse, more pressing and harder to manage. According to technology analyst house IDC, between 2010 and 2022 we witnessed a 5250% in growth in global data. Given our still-growing use of AI, social media platforms, the Internet of Things (IoT) and devices in general, the trend is still upwards,” explained Chimera.

But within all of this backdrop, we seem to have forgotten that international business means business being conducted around the world, internationally. The clue is quite definitely in the name.

Big clouds, big responsibility

Today we know that data can be generated, processed, moved, exchanged and integrated at a massive scale on cloud providers such as AWS, Microsoft Azure, Google Cloud Platform, Alibaba and the other contenders to that four-point crown. For the record, the other smaller players in this space are IBM Cloud (Kyndryl), Oracle Cloud, OVHcloud, Tencent Cloud, DigitalOcean and Linode (owned by Akamai).

From all those cloud providers, we now see sensitive information being processed such as Electronic Patient Records (EPRs), medical formula information, private e-commerce transaction data and so much more besides.

“If we combine the comparatively microeconomic notion of these data workloads on their own with the macroeconomic view of that information collected by cloud services providers in the form of metadata (IP addresses, credentials, logging information and more), then we can see why we need to get to a point of more competent data control.

“Even the casual observer and non-data scientist should have established a pretty clear picture of the data imperatives in front of all now. With all these responsibilities to address, we stand today at a point where Europe has a special opportunity to address the need for more data sharing and decentralised data processing being closer to the user,” clarified Tibco’s Chimera.

Actions C-suite execs can take now

Given that data remains at the centre of our digital transformation efforts, what does the Tibco digitalisation strategy team think organisations can do now to address the most pressing areas of concern in data sovereignty?

Chimera provides the three below actions, that can be approached and carried out concurrently and continuously. He advises that the below advisory actions are numbered purely to denote a possibly logical process of sequence.

Action #1 is a self-audit process. This is a good point to review an organisation’s current and planned data management and cloud computing strategy, initiatives and tactics to raise awareness of the data usage responsibility that is incumbent across all employees. All members of staff should be educated on GAIA-X and informed as to how and why it is currently evolving.

Action #2 is a deeper step into practicality. This is the point where a business establishes and formalises its cloud-centric Environmental, Social & Governance (ESG) policies and sees them form the bedrock of how a new (or existing) Centre of Excellence (CoE) for data governance and sovereignty becomes part of every staff member’s weekly routine. All stakeholders need to understand how and why open, transparent and secure approaches to data that are fully documented, are a fundamental workplace requirement.

Action #3 is an overarching process. This is where a business seeks out vendors and partners who conform and align with EU principles that call for: “An open, transparent and secure digital ecosystem where data and services can be made available, collated, and shared in an environment of trust.”

“Where an organisation doesn’t have a formalised Chief Data Officer (CDO) position, they can still work towards focusing on data quality, privacy, data sovereignty, data ownership and AI ethics with the existing IT function in place. Navigating the road ahead means moving from a cloud-first and cloud-native basis, to one that is omni-cloud cloud-smart in terms of data sovereignty and information responsibility as a whole,” concluded Tibco’s Chimera.

In the new era of data-driven everything, data sovereignty may be one of the more sombre matters of state that increasingly cloud-native firms will have to address, but it’s still vitally important to embrace and execute upon. If Chimera’s guidance helps initiate some positive action here, then we have moved forwards in the right direction.