5 Things Every CXO Needs to Know About Data Sovereignty

Reading Time: 4 minutes

Getting innovative value from data today depends on leveraging data in the cloud—and at scale. This means that a small number of private mega-cloud platform companies based primarily in the US and China have an outsized impact on innovation. There’s further risk that this handful of companies will fail to meet EU privacy needs for data sovereignty at a time when innovation demands more and more data to fuel artificial intelligence projects. For innovators based in the EU, or who trade with the EU, it’s clear that there is a need to reduce this risk.

With the emergence of cloud providers, the terrific growth of generated data, and the speed of transfer—data isn’t limited to a specific region or confined to company data centers. There’s no end in sight to the exponential growth of data, volumes, variety, and sources! The proliferation of IoT devices and the burgeoning use of social media are among the biggest contributors to growing data.

How can chief experience officers (CXOs) reduce risks associated with growing customer data? Keep reading to learn more.

What is Data Sovereignty? 

With organizations transforming digitally and with the benefits to move their legacy architectures to modern cloud-native architectures, a new challenge has started to emerge: data sovereignty.

Data sovereignty isn’t just concerned about where data is stored, but how it complies with current regulations of the region it is collected in. Data governance relates to how an organization internally handles and interacts with data—one of the goals is to enhance regulatory compliance.

Since most companies are operating globally with customers and partners located in any part of the world, there’s a constant movement of data. Data can be generated, stored, and processed by any cloud provider, but the implications of where the data is located are huge. For example, think of the implications of uncontrolled or leaked patient-related data from healthcare providers, formula-related data from manufacturers, or customer behavioral data from e-commerce sites.

Another concern is the metadata that cloud providers are collecting. People don’t realize that their data is being stored: IP addresses, credentials, log in information, and more. Also, recent geopolitical events have contributed to the importance of controlling data, but not every country is aligned on how to regulate data. International battles of digital sovereignty are ongoing both in how data is stored and how it is used.

Many Countries, Different Approaches

European industries and public sector organizations are storing more and more data in cloud-based data centers. As widely known, this playground is dominated by US-based tech giants and upcoming Chinese cloud providers. To respond to the pressing request of regulating the data flow, the American Government has introduced the US CLOUD Act—and similar laws have been introduced in countries like China. But, they’re conflicting with the new EU rules and decisions introduced by the EU Court of Justice with the Schrems II judgment, which had significant implications for users of the US cloud services. 

The European Union wishes to mitigate dependence and the risk of foreign access to critical data. But what’s conflicting? 

The CLOUD Act, not only applicable to cloud providers, is divided into two distinct parts. The first part clarifies the existing legal situation and process to be used by law enforcement agencies via the MLAT (mutual legal assistance treaty). The second part authorizes the US to enter in agreements with foreign states. The UK has signed the agreement with the US to allow law enforcement agencies of both countries to demand, with proper authorization, electronic data regarding serious crime directly from tech companies based in the other country.

Interestingly, no current EU member states have signed such an agreement with the US. The bilateral agreements contemplated by the CLOUD Act should have removed any possible conflict and created a shared level of privacy and civil-liberties protections. But organizations are concerned about the possible harmful effects for privacy and human rights as the CLOUD Act does not require foreign partners to adhere to standards that perfectly match the U.S. legal system. In any case, to be eligible, a country must establish appropriate standards to protect privacy, civil liberties, and human rights—such as agreements that are reviewed for renewal every five years thereafter.

5 Ways to Ensure Data Sovereignty 

We all can agree that citizens should have control of their digital identity and related data. Check out these five steps to learn how you can protect who can access data, discover where data is located, and ensure that your organization adheres to upcoming data regulations:

  1. Create the role of a chief data officer in your organization to focus on data quality, privacy, data sovereignty, data ownership, and AI ethics.
  2. Discover and classify your data; mitigate risks for all data that might be critical and sensitive, including sovereignty and access risk.
  3. Map out your data flows and conduct a data protection impact assessment (DPIA) before migrating to the cloud.
  4. Move from a cloud-first to a cloud-smart approach as applications may have different requirements for accessibility, performance, security, and regulatory compliance. 
  5. Engage a cloud-agnostic software vendor that can prevent cloud provider lock-in and guide you to be compliant with the latest data regulations and open to other cloud providers.

Anticipating and aligning with EU principles on cloud sovereignty reduces the complexity associated with adopting ESG regulations and facilitates compliance with upcoming AI regulations. GDPR is the first step towards granting data subjects (individuals) the right of access, the right to rectification, the right to erasure, the right to restrict processing, and the right to data portability. Data sovereignty, an idea introduced even before GDPR, is the next step in ensuring that data is where it should be and is subject to the laws of the nation where it is collected.

TIBCO Cloud Offers Vendor Flexibility

TIBCO Cloud Integration prevents vendor lock-in and helps you comply with any cloud regulation beyond GDPR. With over 230 different connectors, TIBCO Cloud can connect across any endpoint for easy connections and vendor flexibility, enabling you to choose the right vendors for GDPR compliance and data sovereignty. As regulations change, you can even request a connector to add the vendors that best suit your data needs. 
Ready to take TIBCO Cloud Integration for a spin? Try 30 days for free.