In recent months, data sovereignty is once again in the spotlight for the world’s digital businesses and governments seeking to mitigate against uncertain economic and geopolitical environments. Knowing exactly where an organisation’s data is stored, and what country’s legal and compliance requirements governs this, means that a defined data sovereignty strategy should be a key business priority that warrants careful consideration at the most senior level. Failure to execute this could have wide reaching consequences including fines for non-compliance, business disruption and damage to reputation.
Currently, nowhere is more of a hotbed for debate on this than in Europe, where there is a strong drive to build a resilient and self-sufficient digital infrastructure. A key foundation for establishing this successfully is the ability to store and secure data under European jurisdiction. And with businesses of every size heavily reliant on cloud-based services headquartered outside of Europe, this is creating a sense of unease amongst leaders that they must rapidly address the operational and legal ambiguities this raises.
A European cloud for a trusted digital economy
In the UK alone, a recent survey found that more than 60% of the UK’s IT tech leaders feel the government’s use of US cloud services leaves the country’s digital economy vulnerable to a variety of risks. For example, further exacerbated by the announcements on US tariffs, a whirlwind of ever-changing trade policies and US laws such as the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) that could oblige large American cloud providers to provide data to US authorities no matter the geography in which this is stored concerns over the security and sovereignty of data have been.
These sentiments are echoed across Europe, with momentum building to establish a secure, resilient and sovereign cloud for the continent. This is demonstrated by the EU’s Important Projects of Common European Interest on Cloud Infrastructure and Services (IPCEI-CIS), a notable programme to create a sovereign European cloud campus to protect data under EU regulations and ensure that data physically stored in Europe’s boundaries is far less dependent on US providers.
In today’s environment, it is no wonder that locally governed data storage services are an increasingly attractive option, with specialist European providers as well as the large hyperscalers such as Azure and AWS, actively invested in the effort to make this happen. IPCEI-CIS is backed by more than 100 organisations, not only to achieve regulatory compliance with EU laws such as GDPR, but the aim is also to support technology innovation and digital growth throughout the region.
A critical and strategic matter for all digital businesses
Data sovereignty has broad reaching implications with potential impact on many areas of a business extending beyond the IT department. One of the most obvious examples is for the legal and finance departments, where GDPR and similar legislation require granular control over how data is stored and handled.
The harsh reality is that any gaps in compliance could result in legal action, substantial fines and subsequent damage to longer term reputation. Alongside this, providing clarity on data governance increasingly factors into trust and competitive advantage, with customers and partners keen to eliminate grey areas around data sovereignty.
With so much at stake, it is no longer acceptable for there to be any doubt about what jurisdiction data falls under. While once perceived as an issue for large global corporates, the fact is that any size of digital business using a cloud infrastructure now needs to plan meticulously for where its data is stored, and the legal implications of this.
Arguably, it is smaller businesses that face their own set of challenges in understanding data sovereignty requirements. Unlike multinationals, smaller organisations commonly do not have the specialist legal and IT resources at their fingertips to advise on cross-border data policies. Instead, they often turn to third party cloud providers and are reliant on these partners to provide sound counsel on data legislation and organisation.
Why repatriate data?
One way that many companies are seeking to gain more control and visibility of their data is by repatriating specific data sets from public cloud environments over to on-premise storage or private clouds. This is not about reversing cloud technology; instead, repatriation is a sound way of achieving compliance with local legislation and ensuring there is no scope for questions over exactly where data resides.
In some instances, repatriating data can improve performance, reduce cloud costs and it can also provide assurance that data is protected from foreign government access. Additionally, on-premise or private cloud setups can offer the highest levels of security from third-party risks for the most sensitive or proprietary data.
Implementing sovereign-readiness
The rule of thumb now for any business is that if it’s not crystal clear about where your data is stored and what country governs this, it is essential to take action.
Although every organisation will ultimately choose its own path towards data sovereignty, action is needed now to fully understand where and how data is stored and how to bring it home if necessary. Many organisations will seek out a partner that can help restructure their operations to suit data storage needs and ensure this is compliant with local laws.
That partner should be able to provide transparent and specific details on data handling; for example, offering assurance that data is physically located in a UK or French data centre, and that a data centre provider is compliant with regulations such as GDPR. Providers should also offer more than basic service, with the ability to offer in-depth and proactive consultancy, and end-to-end security to protect data against external threats.
For many companies, choosing the right partner will make all the difference to being truly sovereign ready or falling short of this. In a world beset with geopolitical and economic uncertainties, it is no surprise that Europe is heavily invested into a sovereign cloud that will underpin and enable its future digital economy.
Every company can – and should – play its part in this now by asking tough questions about its own data. Being truly ready means knowing data location, who can access this and what legislation it is governed by. In this way, every business can align itself with Europe’s ambitions to foster the continent’s long-term digital ecosystem.
- Data & AI
- Infrastructure & Cloud