For many years, talking about data in organizations meant talking about efficiency: better storage, more integration, more analytics, more automation, and now more intelligence. Cloud computing accelerated this movement, AI amplified its effects, and governance emerged as a mechanism for order. Even so, a fundamental topic continues to be treated as peripheral in executive agendas: data sovereignty.

In most cases, data sovereignty is almost exclusively associated with data security and privacy or, at best, with the physical location of information. This framing is comfortable, but clearly insufficient. Data sovereignty is not just about complying with regulations, protecting individuals, or keeping data secure. It is about something deeper and more strategic: who actually holds power over the data that sustains the business.

Stop confusing data access with data control

Having access to data is not the same as having sovereignty over it. Many organizations access, process, and analyze large volumes of data daily, yet remain fully dependent on third parties to store, move, transform, and even interpret that data. Control exists only while everything works as expected. The real issue emerges when the context changes, whether due to regulatory, technological, contractual, economic, or even geopolitical factors.

The illusion of control is one of the most underestimated risks in data strategy. Data may be “in the cloud,” contracts may be signed, service levels defined, and dashboards fully operational.

Still, few organizations can confidently answer relatively simple but uncomfortable questions:

• Who can access my data in extreme situations?
• Which jurisdictions apply to my data outside my home country?
• Can I switch providers without compromising critical operations?
• Is my data being used to train AI models that I do not control?

Brazil’s General Data Protection Law (LGPD) was and continues to be an essential advancement. However, it does not resolve the broader debate on data sovereignty. Privacy addresses the rights of individuals. Security addresses the protection of data. Sovereignty addresses strategic autonomy.

Reassess AI dependencies before they become structural risks

An organization can be fully compliant with regulations, certified in security standards, and still be deeply dependent on structures, decisions, and interests it does not control.

This issue becomes even more critical with the rise of generative AI (genAI). The more intelligent organizations become, the more data they concentrate, the more models they train, and the greater their dependence on global platforms. Without a clear view of sovereignty, innovation can mask a silent transfer of power. The organization continues to operate, but begins to outsource structural decisions about its own information assets.

In recent projects I have worked on, this topic has raised growing concern among executives and data leaders. They are beginning to recognize that this is not merely a technical or operational discussion, but a strategic one. Data sovereignty is increasingly seen as a factor in risk management, business continuity, and the ability to adapt in increasingly uncertain environments.

This debate has also gained traction at the institutional level. DAMA Brazil, the Brazilian chapter of DAMA International, has already included data sovereignty in its agenda, promoting discussions that acknowledge the topic goes beyond traditional data governance and requires a broader perspective connected to strategy, regulation, and the global context.

Factor geopolitical exposure into data strategy decisions

It is impossible to discuss data sovereignty without considering the impact of geopolitics. Tensions between countries, extraterritorial laws, trade and technological disputes, and the movement of economic blocs directly influence how data is handled, accessed, and controlled. In an increasingly polarized world, data is no longer just a corporate asset. It plays a central role in disputes over economic and technological power. Ignoring this reality means accepting risks that many organizations are not yet able to fully measure.

Data sovereignty should not be confused with isolation or digital protectionism. No competitive organization can forgo the scale, flexibility, and speed offered by the cloud, AI, and global providers. The real dilemma is not whether to use these technologies, but how to balance unrestricted efficiency with conscious autonomy. It is about accelerating in the short term while preserving strategic options in the medium and long term.

When sovereignty is neglected, the cost does not immediately appear on the balance sheet. It manifests in the form of technological lock-in, reduced bargaining power, limited future choices, and exposure to risks that rarely surface explicitly at the board level. Organizations without data sovereignty do not just lose operational control. They lose strategic maneuverability.

For this reason, the discussion must move beyond the legal domain and become part of the executive agenda. This is a decision that involves risk, resilience, competitiveness, and long-term vision. It is not about where data is stored, but about who makes decisions about it when the environment becomes unpredictable.

Elevate data sovereignty from technical concern to executive priority

In practice, advancing data sovereignty does not mean abandoning the cloud, AI, or global providers. It means adopting a more deliberate approach to decisions that have long been confined to the technical domain. In this context, the role of the Chief Data and AI Officer (CDAIO) becomes central. Not as someone responsible only for platforms, models, or analytics initiatives, but as the leader tasked with making explicit the risks, dependencies, and strategic impacts that rarely appear clearly in executive discussions.

It is up to the CDAIO to challenge the organization with questions that are often absent from digital transformation narratives.

• To what extent can the company’s data be moved, shared, or reused without compromising future autonomy?
• Which strategic decisions are being implicitly outsourced when certain architectures, platforms, or AI models are adopted?
• What level of reversibility truly exists in the choices being made today?

Build governance around autonomy, not just compliance

Treating data sovereignty as a strategic issue means incorporating technological and informational dependency risks into corporate governance. It requires reviewing contracts, architectures, and operating models from the perspective of autonomy, not just efficiency. Above all, it requires expanding data governance beyond quality, security, and compliance to include effective control, transparency, and decision-making power over how data is used, shared, and transformed, especially in AI initiatives.

In this scenario, the CDAIO is no longer just an enabler of strategies defined by others. The role becomes more challenging, but also more essential. It involves reminding the organization that not all efficiency is neutral, not all innovation is reversible, and not all dependencies are visible in the short term. Data sovereignty exposes dilemmas that many organizations prefer to postpone, but that are becoming increasingly difficult to ignore.

Ultimately, data sovereignty is not a discussion about technology, nor only about compliance. It is a discussion about power, autonomy, and the ability to choose. Organizations that fail to confront this debate will continue to operate, innovate, and grow, but within limits they did not consciously define. And that may be the greatest risk of all: realizing too late that its digital destiny has already been decided by others.

About the Author:

Bergson Lopes Rego is a Managing Partner at BLR DATA, Vice President of the DAMA Brazil chapter, and a specialist in Data Governance.