Heightened risk related to data sovereignty is universally acknowledged. Most IT decision makers see that risk increasing as a result of geopolitical instability, and that inadequate preparation could result in costly reputational damage and a loss of customer trust.
Those are the key findings of a Pure Storage-sponsored survey in which the University of Technology Sydney carried out interview-based qualitative research among IT practitioners in the Europe and Asia-Pacific regions.
The survey found:
- 100% of those asked believed sovereignty risks that include potential service disruption have forced organisations to reconsider where data is located;
- 92% said geopolitical shifts had increased sovereignty risks;
- 92% believed inadequate sovereignty planning could lead to reputational damage;
- 85% identified loss of customer trust as the key consequence of inaction;
- 78% said they had embraced data strategies that included engaging with multiple service providers; adopting sovereign datacentres (on-premise or in-country), and building enhanced governance requirements into commercial agreements.
The survey commentary talks of a “perfect storm” where service disruption risks, foreign influence and evolving regulations converge to create huge exposure to risk for organisations that could result in revenue loss, regulatory penalties and irreparable damage to stakeholder trust if not addressed.
One IT decision maker talked about how complex data sovereignty can be to unpick, and how it now forms key planks of their organisation’s agreements with customers.
“The Access Group handles sensitive end user data for our customers across the world, from the NHS in the UK to the Tax Department in Australia,” said Rolf Krolke, regional technology director for APAC with The Access Group. “Data sovereignty is an absolutely critical issue for us and our customers. In fact, they ask that it be written into our contracts.”
The concept of data sovereignty centres on the idea that information created, processed, converted and stored in digital form is subject to the laws of the country in which it was generated. But data can travel, too, and when it does, its destination country’s laws on data held there that must be adhered to. That is known as data residency.
Difficulties can arise when the two concepts meet and the laws of one state contradict another, such as with the European Union’s General Data Protection Regulation, which requires that data transferred to another jurisdiction is held with adequate safeguards and protections.
For such reasons, organisations often want to know where their data goes, and also might want to keep it in known – often home country – locations.
Such concerns have been heightened in the recent climate of geopolitical instability, as well as the febrile climate that has grown around international cyber crime.
The rise in use of the cloud is core to many of the concerns and the difficulties that arise.
Datacentre locations
Also present as concerns are datacentre locations and the global supply chain, said Patrick Smith, EMEA chief technology officer of Pure Storage, who suggests organisations and states will need to move to – or are already moving towards – building their own sovereign capacity.
This, he said, means physical equipment and in-country datacentre capacity, and that’s not a trivial obstacle to surmount.
“It’s interesting when you think about some of the constrained components that we’ve seen on the global stage,” said Smith. “A great example is Nvidia GPUs [graphics processing units], which require almost a global village to produce them.
“As soon as you start looking at data sovereignty, you’re looking at, ‘How do I build my sovereign capability? Where do I get all the components from?’ Many countries have effectively outsourced datacentres. They’ve put them outside of their own geography.
“With a sovereign capability, you’re talking about having to host those datacentres within your own borders,” he said. “And that suddenly means that you need to have that energy production and water supply to support that datacentre.”
