As organizations digitally transform and as cloud computing takes hold, everyday processes and services are becoming digitalized. The volume of data generated, shared and stored is surging – not just domestically but also across regions and borders.
As a result, data sovereignty, the concept that data is subject to the laws and governance structures of the country where it is collected or stored, is not just a critical factor for citizens and governments but rather a major concern.
Chief Technical Security Officer at Alcatel-Lucent Enterprise.
Current geopolitical tensions and the scope for data to be compromised or intentionally disclosed is fueling these concerns.
But it’s not just governments feeling anxious about data sovereignty, organizations across sectors including transportation, healthcare, education, utilities and private enterprise are uneasy about the potential impact on their organization of their data falling into foreign jurisdiction.
A report commissioned earlier this year by OVHcloud found that over three quarters (77%) of IT decision makers in large UK organizations regard data sovereignty as more important now than it was three years ago.
What’s at stake?
Organizations must comply with local data protection laws such as GDPR in the EU (and UK) and the California Consumer Privacy Act (CCPA) in the US. The consequences of non-compliance with local data jurisdiction include financial penalties from regulators and potential legal action and compensation claims from affected individuals. It can also lead to reputational damage and erosion of customer trust.
But aside from the potential image on company reputation and hefty fines there are other risks too. City transportation systems, hospitals, schools, businesses both large and small and administrative services rely on servers that are often located outside of their respective countries. If access to these servers was suddenly denied, individuals, communities, businesses and indeed entire economies could be left without critical services and face dire consequences.
While these scenarios may sound extreme, the risks to companies and organizations are real. As our economies and public services continue to digitize, so too does our dependency on technologies that are most often controlled by non-European entities. It begs the question, who controls the IT infrastructures that keep our economies running and democracies stable? And how can we mitigate the risks?
Making digital autonomy top of the agenda
To avoid any risk of falling foul of foreign data protection laws, many European organizations are looking specifically to sovereign cloud offerings, including cloud infrastructure, collaborative tools, networks, or critical software.
A report by IDC last year found that 84% of organizations across Europe were either currently using sovereign cloud solutions or planned to do so in the next 12 months. The top three drivers were found to be enhanced cybersecurity, expanded cloud use (to support greater remote work) and compliance and industry regulations.
The move to sovereign cloud solutions is entirely logical; by choosing a European provider, companies and organizations are guaranteed a local legal framework and alignment with shared principles – particularly in terms of privacy, a value upheld by EU member states through the General Data Protection Regulation (GDPR).
Strengthening GDPR awareness and turning it into a pillar for operational governance would help push the EU towards digital autonomy. Many organizations today continue to regard GDPR compliance as a burdensome administrative box-ticking exercise. In reality, it is a genuine tool that can help protect European citizens from the uncontrolled exploitation of their data.
When selecting sovereign clouds, European and UK organizations should take care to ensure their chosen cloud provider is obliged exclusively to meet EU legislations or they could still find themselves subject to foreign jurisdiction. For example, Amazon Web Services (AWS) plans to launch its AWS European Sovereign Cloud offering by the end of the year.
While AWS will host its data centers in Europe and comply with EU data laws, as a US player, the company is still subject to the U.S Cloud Act. This law allows American authorities to demand access to data hosted by any U.S. company, regardless of where it is stored. Legally therefore, AWS could be compelled to provide such access to the U.S. government, despite pledging to offer a sovereign cloud service.
The path ahead: collaboration and diligence
As European and UK organizations individually consider their technology platforms and partners and develop strategies to protect their data sovereignty, they must also consider wider EU digital sovereignty initiatives and industry groups like Department for Science, Innovation and Technology (DSIT) in the UK.
Gaia X is an EU framework and ecosystem that connects existing European cloud and data service providers. Its aim is to create a federated, secure, and sovereign data infrastructure for Europe. The DSIT is a UK body that works to build domestic infrastructure to support a sovereign digital economy.
These important initiatives will only succeed if they are widely adopted by all those concerned about digital sovereignty. Today, given the risks for enterprises across sectors, this means not only local authorities and governments but all businesses and organizations, public and private, that work in the digital economy and depend upon shared data.
https://cdn.mos.cms.futurecdn.net/3XYruDCRrAbBLNaWeK627P-800-80.jpg
Source link
