How businesses can address the data sovereignty challenge

01 November 202211 Minute Read

Rob EllissVP of Data Protection Solutions, EMEA | Thales Cloud Protection and Licensing

The quest for digital sovereignty is a goal shared by companies, public authorities, citizens, and consumers.

In the last few years, the volume and value of digital data has increased tremendously. As modern organizations and nation states are pursuing their digital transformation strategies, they become reliant upon digital platforms as part of their operations. While digitalization has brought considerable opportunities, new risks have also emerged. Data theft and compromise is real risk for all organizations, costing millions of dollars every year.

The World Economic Forum estimates that over 92% of all data is stored on servers owned by US-based companies. The sense of losing control over your data is an escalating anxiety for all businesses and governments all over the world. The fear of foreign entities compromising sensitive data has brought into discussion the concept of data sovereignty and how businesses can ensure that their valuable data doesn’t fall into the wrong hands without permission.

What is data sovereignty?

The World Economic Forum defines data sovereignty as “the ability to have control over your own digital destiny – the data, hardware and software that you rely on and create.” Data sovereignty emerged as a need for “strategic autonomy” of the European institutions, seeking to reduce “dependencies”. A recent paper authored by the heads of Germany, Estonia, Finland, and Denmark notes that EU needs to “foster the Digital Single Market in all its dimensions where innovation can thrive and data flow freely. We need to effectively safeguard competition and market access in a data-driven world.”

The quest for digital sovereignty is therefore a goal shared by companies, public authority stakeholders and, more recently, Internet users, citizens, and consumers. Data sovereignty has become a concern for many policy-makers who feel there is too much control ceded to too few places, too little choice in the tech market, and too much power in the hands of a small number of large tech companies. This quest for sovereignty is even more important considering that the pandemic highlighted the EU Member States’ dependencies on vaccines, protective masks, and increasingly on digital technology developed by GAFAM (Google, Amazon, Facebook, and Microsoft).

In the wake of the movement initiated by Europe and followed by the United States, governments are implementing privacy policies to meet new requirements in terms of confidentiality, support and security of data processing. Data processing poses a challenge in terms of sovereignty, requiring the introduction of an appropriate legal framework, as reflected by changes in European laws and in the Middle East.

The problem of data sovereignty is closely related with the cloud. Data stored in cloud computing services may be under the jurisdiction of more than one country’s laws. Different legal requirements regarding data security, privacy, and breach notification could occur, depending on where the data is being hosted or who is controlling it.

As you consider where to store data—on-premises or in one or more public cloud providers—you need to consider where the data will be stored, what laws are applicable to these geographic locations, and whether storing data in a certain location will be beneficial or harmful to your business.

Companies using cloud infrastructure must address data sovereignty analysis holistically. Data sovereignty is not an issue that can be addressed only by the Chief Information Officer. IT security, legal department, procurement, risk managers, and auditors must all be involved in risk management and governance processes.

At this point it is essential to understand that data sovereignty is different than data localization.

Data sovereignty is a governmental policy or law noting data is subject to the data and privacy laws of a specific geographical location.

Data localization is a governmental policy or law that specifies where governments can locate data. An example is the EU GDPR. It states that European countries should host all personal information collected on European citizens within the EU within the EER, EU, or several other specified countries.

How are businesses affected by data sovereignty laws?

The invalidation of the EU-US Privacy Shield in 2020 by the Court of Justice of the European Union through the Schrems II ruling was the event that triggered the discussion about data sovereignty. Although the EU and the US have already agreed to a new Trans-Atlantic Data Privacy Framework to sufficiently manage such data exchanges, it should be noted that the Schrems II ruling affects all data transfers between EU and third countries, including the states in the Middle East.

The EU-US Privacy Shield worked as an overall legal protection umbrella under which global enterprises were safe to work and transfer data between the European Union and the United States. It is estimated that over 5,000 organizations, their subsidiaries, and their suppliers were affected by the ruling threatening a portion of the $1.3 trillion in yearly transatlantic trade.

The EU-US legal digital sovereignty challenge is the most visible example, but it is by no means the only point of contention. Around the world, even between EU member states, digital sovereignty is becoming an issue.

The surge in privacy regulation in recent years has prompted a shift towards localization and the containment of data within state boundaries. As a response, technology giants are building localized data centers to circumvent geographical barriers to business, while providing complete oversight over data storage and access to meet the compliance requirements. With more and more countries worldwide enacting similar data protection and privacy laws and regulations, the issue of data sovereignty and digital destiny remains a multifaceted one.

The key challenges of data sovereignty

Data sovereignty has raised questions for CIOs considering their cloud strategy, governance, and risk management. When you expand your data to additional regions, whether for production data, data backups or disaster recovery, you must be mindful of data sovereignty.

Data at rest

Before you even think about compliance, regulations, and rules, one of the initial things to consider is how and where you store your data. The first choice is whether to store data on premises or in the cloud. In the cloud, data sovereignty becomes more complex.

If you migrate your data to the cloud, as most companies do, you will need to select options for replication and backup, which in many cases will involve storing data in another geographical location. The cloud provider may or may not allow you to select the region where backups or replicas will be stored. You should ensure that you are able to specify the region in which data will be stored and understand the regulatory requirements of each region.

The challenge is not only where the sensitive data resides geographically, but even who has access to sensitive data inside a corporation. For example, according to the recent Schrems II decision, if an employee based in the United States accesses sensitive EU protected data inside his own organization, this could be considered an “export” of sensitive data and an infraction of the GDPR rules.

Data in transit

Organizations often overlook data in transit. However, it is essential if you consider the following questions:

How often do you transfer data between geographical regions?
From where and to where is data transferred?
What type of data is typically transferred?

You should understand your data flows because they relate to how data is being collected and processed. It is especially important to understand data sovereignty in the source and destination region, and if there are legal issues, adjust your data flows to ensure data ends up in the most appropriate legal jurisdiction.

However, in a multi-cloud organization, taking care of data sovereignty is easier said than done. This is especially difficult when a majority of enterprises rely heavily on third party service providers for intelligent insight and competitive advantages extracted from often regulated company data.

The three pillars of digital sovereignty

Thales considers data sovereignty as one of the three pillars towards an effective digital sovereignty in support of a successful cloud strategy. The other two pillars are operational sovereignty and software sovereignty.

Data sovereignty means maintaining control over encryption and access to your sensitive data to ensure it doesn’t fall into the hands of a foreign entity without express permission resulting in non-compliance with regulations.

Operational sovereignty means giving an organization the visibility and control required to ensure that criminals cannot access, or prevent you from accessing, your valuable data, such as in the case of privileged user access or a ransomware attack.

Software sovereignty means running workloads without dependence on a provider’s software, offering the freedom to store and run workloads wherever desired to maximize performance, flexibility, and overall resilience.

Discover, Protect, and Control your Sovereignty

Organizations can achieve data, software and operational sovereignty with automated risk assessment and the centralized protection and control of sensitive data across cloud and on-premises systems.

Discover
For an organization to decide which levels of protection and controls to use, it must be able to discover data wherever it resides and classify it. This means scanning all on premises and cloud repositories for structured and unstructured data, which can be in many forms, including files, databases, and big data. Data sovereignty starts with finding your sensitive data before criminals do.

Protect
Once an organization knows where its sensitive data is, it should protect that data with measures such as encryption. For encryption to successfully secure sensitive data, the cryptographic keys themselves must be secured, managed, and controlled by the organization.

Control
Finally, the organization needs to control access to its data and centralize key management. Every data sovereignty or privacy regulation and mandate requires organizations to be able to monitor, detect, control, and report on authorized and unauthorized access to data and encryption keys.

To find out more about Thales and the services they provide to the retail industry, click here.

This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.