Data sovereignty for data in motion

Richard Timperlake at Confluent explains how businesses need to manage data sovereignty when moving personal data between different jurisdictions.

 

Over the past couple of years, data has emerged as one of the most critical assets needed for business success. According to Confluent’s Data In Motion research, 56% of IT leaders with extensive access to real-time data streams report higher or much higher revenue growth than their competitors.

 

The research also showed that three in four organisations say they would lose customers without access to the insights they glean from real-time data streams today, with retailers being the most likely to suffer.

 

It is evident that data is what companies need to offer an unrivalled customer journey and the exceptional customer service required to keep them returning to a brand repeatedly.

 

Unfortunately, providing exceptional service or product requires businesses to pull out insights from their customers’ data and build that personalised experience. While it may seem like an easy ask, global organisations face many regulatory challenges when it comes to leveraging data that resides in different geographies.

 

This makes data sovereignty one of the most critical elements of any digital strategy within a brand.

 

With that in mind, here are the four things businesses need to think about to get data sovereignty right.

 

1. Understand data sovereignty and where it applies

Let’s start by defining data sovereignty. Data sovereignty is the concept that digital data is subject to the laws of the country in which it is processed.

 

Many don’t realise that data sovereignty applies to data regardless of its status: whether the data in question is at rest, in motion, or in use which means that organisations that utilise data must ensure that they comply with regulations and safeguard their customers’ data.

 

In addition, regulations such as GDPR, which applies to the personal data of people within the EU, and the similar UK GDPR, also state that businesses need to ensure their users are informed about the use of this data.

 

As a result, organisations that aspire to provide a personalised experience to their customers have to incorporate data sovereignty into their IT strategies, especially when it comes to the cloud. The main reason behind that is that determining the geographical location of data when it comes to cloud computing can be blurred, and many businesses are not clear about where the data is stored.

 

This provides challenges when deciding the applicable law, especially in the EU, where the physical location is crucial to determining which laws apply. Ultimately this is where data sovereignty comes into play.

 

2. Set up your data with data sovereignty in mind

Before beginning the journey, it’s imperative that businesses take a step back to look at how data is being used across many leading brands. They must recognise that all types of data aren’t equal.

 

For data to be effective and fit for use, it needs to be of high value. This means the data is clean, it is tagged in the right way, saved in the right location, and clear of errors and typos so that it’s searchable, no matter what type of data it is.

 

One way of doing this is taking the data mesh approach. Data mesh is an approach to data and organisational management centred around decentralising control of data itself, making it accessible, available, discoverable, secure, and interoperable. It enables businesses to mix data to paint an accurate picture of their customer’s journey.

 

However, organisations that implement a data mesh need to clearly define which domain team owns which data set, and all teams must be willing to make changes quickly so that their data is always of good quality. This will allow teams to be more innovative and create a smooth and customisable customer journey whilst ensuring data sovereignty is considered.

 

3. Be aware of key legislation and judgements

When it comes to data privacy and protection, consumers have become more educated than ever before due to the increasing media coverage surrounding the topic.

 

It is also fair to say that businesses have become aware of the growing implication when it comes to transferring their customer data between geographies.

 

The US Cloud Act is perhaps the best-known legislation dealing with data sovereignty and corporate rights. The Act gives customers the right to access their data no matter where it’s saved as long as the request doesn’t violate the privacy rights in the country where the data is stored.

 

When it comes to the British data protection law, the complication around data sovereignty is that businesses may not understand that organisational data might not just be stored in the UK, and that it can be bound by the laws of other nations holding the data. This may change as a result of Brexit, and the UK government has already announced the Data Reform Bill which is set to reform the UK’s data protection regime.

 

Digital service providers (DSP) also have to be aware of the EU’s Network and Information Systems Regulations (NIS Directive) 2018, which have been enacted in UK law and are often referred to as the ‘NIS Regulations’.

 

An important judgement in the European Union (EU) also affects data sovereignty. In 2020, the Court of Justice of the EU issued a verdict, known as Schrems II, that ruled that the EU-US Data Protection Shield, on which many companies relied to transfer their data between the US and the EU, was invalidated due to concerns around surveillance by US state and law enforcement agencies.

 

Overall, based on varying interpretations of GDPR, as well as rulings such as Schrems II, companies should understand that many regulators will take a pragmatic approach to ensure they secure the interests of both industries and consumers, rather than being overly cautious with low-value data or processes.

 

4. Build global data sovereignty strategies

Multi-cloud strategies have been key for many businesses looking to avoid vendor lock-in. However, this has left them with systems to manage that have regulatory and legal complexities. If a business has a multi-cloud infrastructure, with data stored in several different locations, there is a possibility that it might violate several countries’ data sovereignty regulations simultaneously.

 

What is clear is that handling data sovereignty correctly across all relevant territorial regulatory systems is challenging. The first step is to determine where the data is saved.

 

The next step is to consider whether it can be legally moved after being processed in a specific country. For example, international data transfers are restricted by the EU’s GDPR.

 

This is not to say international data transfers can’t take place under the GDPR. As long as the European Commission has decided there are adequate levels of protection, or the appropriate safeguards in place, international data transfers can take place.

 

Many businesses have started to seek out international certification to demonstrate their compliance with GDPR and other laws that relate to data security and privacy.

 

To ensure they are covering all bases, organisations should also be thinking about creating a data protection strategy by researching, consulting, taking inventory, encrypting data, and developing an effective and efficient process.

 

Getting it right

Becoming a leading brand in today’s digital world requires businesses to be innovative and consistently respond to ever-changing customer demands. Insights garnered from data will help organisations do that as well as optimise their business offerings and get closer to their customers.

 

The two critical elements in achieving that in 2022 and beyond is a data mesh strategy that will help them to keep their data in motion and get data sovereignty right.

 

---

 

Richard Timperlake is SVP EMEA at Confluent

 

Main image courtesy of iStockPhoto.com