Defining data privacy, residency and sovereignty in the cloud
Not so fast.
What may appear to be a relatively straightforward concept has instead become an extremely complicated situation due to the numerous regulations defined, countless re-purposed terms used, and the variety of technology capabilities offered. This reality has an impact downstream in the form of significant considerations and ramifications for public and private organizations alike. To begin to simplify this complexity, let’s start with the definition of the parts that make up the whole of digital sovereignty.
First, let’s discuss data sovereignty and data residency. These two terms are often combined and intermingled into a single statement that can introduce confusion right off the bat.
If no jurisdiction is involved, then data residency is the proper term as it is simply ensuring that the data — and the processing of that data — sits within an explicit geographical location. However, if the data is subject to exclusive legal protections within a particular jurisdiction of a nation, this is a matter of data sovereignty.
Data sovereignty is the ability to maintain legal control and authority of the data within the defined nation’s jurisdictional boundaries. This includes data flows and subsequent processing of that data located within the jurisdictional boundary in question. This also includes any additional data and metadata created by the processing of the original data that falls under this same jurisdictional requirement.
While it may come naturally to focus on the data — and the technology that creates it —the topic ofdata sovereignty extends well beyond the data and technology to encompass data privacy, human rights, national identity, national security, a nation’s digital capability, the value of data, the data economy and ultimately economic growth.
The jurisdictional boundary can be extended across national borders to encompass the full scope of a legal entity. A prime example is the grouping of political territories such as the European Union (EU) and legal bodies within the EU such as the European Commission (EC) and the Court of Justice of the EU (CJEU). Member states, such as Germany or France and their respective governments and judiciaries, would have their own jurisdictions in addition to that of the EU bodies.
Data sovereignty is not the same as digital sovereignty. Rather, data sovereignty is merely a subset of the desire to achieve digital sovereignty. Beyond the data, digital sovereignty is about achieving digital autonomy across the entire end-to-end ecosystem and infrastructure, including the hardware, software, identities, access, data processing capabilities, the security of the data and the cyber resilience of the infrastructure.
With this in mind, a sovereign cloud is one that supports the destination of digital sovereignty, but does not, itself, provide data sovereignty nor on its own deliver digital sovereignty.
Rather, a sovereign cloud allows an organization to ensure they can offer data sovereignty on the platform without sacrificing any of the commercial benefits of cloud-at-scale such as the flexibility, agility, and visibility organizations have come to expect from a modern cloud environment.
Complexity of the digital and data sovereignty landscape
What is apparent as we consider the current global arena surrounding data privacy and the broader digital and data sovereignty considerations is that it is a space that while developing rapidly still has much interpretation and evolution to occur. Globally, between nations and regions, as well as within countries and regions, there have been and continue to be significant data privacy developments and in particular recognition of the importance of increased sovereign safeguards when it comes to better protecting mission critical and sensitive private and public organization data, and the data of the citizens and customers that those organizations hold.
Similarly, there is global recognition of the significant challenges when it comes to the ongoing discussions and deliberations in this space, but there is also the realization of the success to be enjoyed in overcoming these challenges. This success will result in not only greater surety when it comes to individual, citizen, public and corporate data privacy, but also to significant social and economic benefits. These benefits will flow from not only securing these critical sovereign data assets, but also from ensuring that the core data is accessible to sovereign research and analysis and the subsequent tremendous value of the evolving data sets.
At first glance, considerations of digital sovereignty appear to be a straightforward discussion, however hopefully we have demonstrated that it is a topic deeply impacting across a very broad ecosystem of highly interrelated and, at times, contentious and competing matters, and it is a topic worthy of attention and discourse.
Taking control of your digital destiny with a sovereign cloud
The idea of a sovereign cloud is not a new concept and, hopefully, there isn’t much confusion surrounding its vital role in an organization’s journey to achieve digital sovereignty. Even with countless ambiguities present in legal and compliance arenas and ongoing uncertainty in the global, national and regional data privacy landscape, the relevance of a sovereign cloud as part of the journey toward digital sovereignty is more significant now than ever before.
A sovereign cloud should focus on one key element: to provide better infrastructure control so both public and private organizations can ensure they are following and applying the necessary data privacy, security and compliance measures to protect sensitive and regulated data and application workloads. As noted earlier, this infrastructure control extends beyond the data, applications, and systems; it also covers controls for data in transit, data workflows, data processing capabilities — such as artificial intelligence and machine learning algorithms — and access to the data.