Cybersecurity insights from industry experts.
Considerations for Managing Digital Sovereignty: The Executive Perspective
Business leaders must frequently balance the advantages of cloud computing and the free flow of data across geographic borders with the need to abide by local laws and regulations.
Businesses value the availability, scalability, and reliability of the cloud. They recognize that cloud computing can enable data to flow freely to where it needs to be accessed and processed, providing a huge advantage for organizations that operate on a global scale.
However, the rise of cloud computing, coupled with the broader movement toward the "internationalization" of data, has led to a corresponding increase in scrutiny of data governance and how to ensure relevant digital sovereignty requirements are met.
Digital Sovereignty: Challenges and Solutions
When considering whether to expand your business to a new country or to offer services to a new customer base, it's critical to assess the impact of digital sovereignty requirements. Those requirements vary based on which regulatory regimes apply, but broadly fall into three pillars: data sovereignty, operational sovereignty, and software sovereignty. Compliance may be achieved using multiple mechanisms, including sovereign cloud solutions powered through local partners or sovereign controls.
Consider Europe's General Data Protection Regulation (GDPR) and Brazil's General Personal Data Protection Law (LGPD) as two examples of specific regional privacy regulations that give individuals more control over how their data can be used, accessed, and stored. Similarly, legislation in Germany goes a step further, by regulating the public sector's use of cloud and requiring cloud providers to attain specific local certifications. And the Kingdom of Saudi Arabia has also promoted a data protection law that regulates, and in certain cases prohibits, cross-border data transfers.
Organizations may find themselves challenged both to pursue digital transformation initiatives and to meet different customer data privacy and protection requirements. For instance, companies may want to enable certain features or functionalities that impact the manner in which customer data is processed or stored, but find that their technical partners are unable to provide the assurances they need to operate in compliance with local laws and regulations.
Cloud providers can take a leading role in helping organizations navigate questions that arise from digital sovereignty challenges by providing products and services designed with digital sovereignty in mind, for instance by enabling visibility into where, how, and by whom customer data is accessed and stored.
In certain cases, the way to achieve compliance with digital sovereignty requirements may be to partner with a local company to meet data storage or access requirements, such as via encryption key management or air-gapping. Cloud providers can make establishing such relationships easier by serving as enablers for impacted companies in fulfilling their requirement to engage directly with such a local entity.
The Executive Perspective on Digital Sovereignty
So what steps can leaders take to proactively support compliance with digital sovereignty requirements?
First, identify whether the jurisdiction you're looking to operate in has a digital sovereignty requirement. Your legal, compliance, privacy, and data governance teams can advise on whether such a requirement applies and, if so, what it entails. Next, work with your IT and data governance teams to ensure there's a clear understanding of where and how customer data is stored, which workflows impact customer data access, and whether any revisions may be needed to comply with applicable local rules. You'll also need to engage with critical partners such as cloud service providers to determine whether there are capabilities available that can support your compliance requirements.
Take digital sovereignty considerations into account before establishing operations in a new territory or expanding services to a new customer base. Mergers and acquisitions, new business relationships, or even the hiring of a remote employee in a new location can trigger the need for compliance with new local regulations. Ensure you're asking the right questions before making these decisions, including:
Will this business change expose the company to new data sovereignty rules or regulations?
If so, has a comprehensive risk analysis been performed to assess these requirements relative to current state controls and to identify potential gaps?
So our technical partners or cloud service providers offer solutions that can help us meet these new compliance requirements?
What changes to internal processes may we need to make to comply with these new requirements? These may include process workflow changes, revisions to applicable policies and procedures, staff training, and revisions to regulatory change management processes, to name a few.
Given the impact of these requirements, is the business case for proceeding sound?
Has a cross-functional group been identified to manage the identification, definition, and tracking of these requirements? Consider obtaining independent verification of compliance, as well.
The legal and regulatory environment is a dynamic and often challenging space to manage, given the local nuances that can result in a patchwork of overlapping yet inconsistent requirements. The companies that succeed in the years to come will be those that best position themselves to effectively navigate the myriad local rules and requirements of the jurisdictions in which they operate.
Read more Partner Perspectives from Google Cloud
Read more about:
Partner PerspectivesAbout the Authors
You May Also Like