Data Sovereignty: New Rules Impact Business Operations

The era of borderless data is coming to an end, and far faster than many anticipated. As more nations seek to attain data sovereignty for individual and business privacy concerns, the Information Technology & Innovation Foundation reports that the number of data-localization measures has more than doubled to 144 restrictions across 62 countries in just four years. 

The discussion around data sovereignty will only increase as the amount of data rises. Statista estimates that, while global data creation will exceed 180 zettabytes (equal to 180 trillion gigabytes) through 2025, a report by Oliver Wyman shows that almost all – 92% – of the Western world’s data is stored in the U.S. So, while data sovereignty efforts aim for a course correction, organizations and entire countries are rethinking how they govern their data assets.

In this landscape, Chief Data Officers have a growing and active role in establishing and enforcing their own tailored rules for data governance. It is certainly creating a balancing act in how CDOs can effectively manage, leverage, and protect the flow of data assets across the value chain while ensuring that those who need it have access to the right information every time.

The Reckoning of Data Sovereignty (and Privacy)

The rise in data sovereignty comes on the heels of a growing awareness of the gaps in data collection and privacy standards, especially across borders. The ongoing controversy surrounding TikTok’s data collection methods and how that relates to the Chinese ownership status of parent company ByteDance is a clear example of the potential issues with opaque data policies. 

Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have made some headway regarding data privacy, but there is still much that is not clear on how these efforts translate to cross-border businesses. Meta is among those that have been caught in the crossfire. While the company has denied that it was threatening to leave the European Union over data transfer disputes, an order from Ireland’s Data Protection Commission may prohibit EU user data from being transferred to America. This could prevent both of Meta’s biggest platforms, Facebook and Instagram, from functioning in EU countries.

Additional challenges may follow if and when new rules are introduced. There are a number of steps that forward-thinking organizations can take to protect business and consumer privacy, and ensure that operations are minimally disrupted now and moving forward.

• Govern everything - It should go without saying that all data should be governed to empower those who need to use it while still maintaining strong security and privacy measures. Good data governance practices allow businesses to maintain control and remain compliant with existing regulations – and react more quickly when future rules are enacted. 

• Prioritize modern data storage - CDOs should review how their data is collected and stored to align with security, governance and ease of use. While employees need access to relevant data, if their team spans multiple geos, data location becomes an issue, even in a multi-cloud world. Amazon, Google and Microsoft are among the cloud storage providers that recognize this need, and have already deployed methods for storing and keeping data in locations that protect sovereignty. CDOs must consider how their cloud and on-premises strategies align to match data needs with sovereignty requirements. 

• Don’t take locality for granted - GDPR, as well as new rules implemented in Australia, require businesses to be more mindful about their customers' location and the data they generate. Businesses cannot simply collect whatever they want and use the information as they see fit. They must instead provide complete clarity on which data is collected and how it will be leveraged and give both customers and prospects the opportunity to opt out. To fulfill these requirements, customer data will need to be managed more like internal data. Proper governance can ensure that insights are only shared in a way that conforms to the rules and is in line with customer consent.

• Protect the flow of data, no matter the circumstance - In the era of data sovereignty, governance, storage and locality are taking center stage. Consider the July 2022 Schrems II judgment that ruled EU companies can no longer legally transfer data to the United States based on the Privacy Shield framework, or they risk a penalty of €20 million. We can expect to see more rulings like this. CDOs will have to step up and take action accordingly. They should be proactive in addressing these issues head-on and initiate strategies that can work even when data collection or sharing are limited by sovereignty or regulations. By taking the necessary steps now, CDOs can overcome the challenges of balancing how they manage, leverage and protect the flow of data, no matter the circumstance.

Data has become the focal point and main asset for businesses across industries and around the world. The importance of managing and protecting the flow of data is a challenging duty resting on CDO’s shoulders. But, with the steps laid out above, CDOs can confidently navigate the complex and volatile world of protecting their most valuable data.

About the Author

As Chief Data and Analytics Officer, Joe DosSantos leads the alignment of business and technology to enable 3rd Generation Business Intelligence at Qlik. He is responsible for use case prioritization, DataOps methodology, and the deployment of information management systems, including all of Qlik’s Data Integration and Data Analytics products. He also provides thought leadership in modern Data Architecture and Data Governance to other CDOs. 

Prior to taking on the CDAO role, DosSantos was responsible for Qlik’s Data Catalyst product positioning and competitive intelligence, developing business-focused offerings with Industry Solutions, and defining QDC’s long-term product roadmap.  

Before joining Qlik, DosSantos was the Vice President of Enterprise Information Management Technology Services at TD Bank Group. In this capacity, he was responsible for enterprise technology required for the management, transformation, and analysis of information across the Bank. He led the delivery of an enterprise data lake that included a metadata driven catalog and data as a service experience, Hadoop native ETL, and next generation reporting, analytics and artificial intelligence solutions. He is also responsible for the Master Data Management, Data Governance, and Data Warehousing tooling.