Data Sovereignty, Compliance Shape IT Leadership

Data sovereignty and industry compliance continue to factor in highly to discussions about future organizational IT architectures.

A recent IDC survey indicated these two issues will play a central role for IT leaders choosing service providers and making evaluations about their primary datacenter environments.

Meanwhile, the regulatory landscape is changing, and businesses must demonstrate they are meeting their obligations within and across regions despite differing regulations and complexities around where data resides.

For example, data in the cloud could be in a different legal jurisdiction than the business, leading to additional questions on legal obligations.

Businesses are forced to invest more time into compliance considerations, as it’s no longer something that can be ignored until it becomes an issue.

The European Union was far ahead in defining what its expectations are through the General Data Protection Regulation (GDPR), however other regions are also introducing their own requirements such as California's Consumer Privacy Act.

Data Sovereignty Competency Matters

“The topic of data sovereignty is more urgent than ever as we try to counter-balance these considerations,” explains Jason Conyard, CIO of VMware. “Privacy and privacy-adjacent laws is also an ever-growing topic not only on a national level, but on a consumer level as well.”

He points out customers want assurances about their data -- how it is used, who it is shared with, and how it is protected.

“If a company can demonstrate competency in meeting its commitments, it builds trust and customer loyalty and ultimately leads to increased profitability,” Conyard says.

Spencer Kimball, co-founder and CEO of Cockroach Labs, adds while risk mitigation is the obvious impetus for change, a strategic embrace of the challenge of data sovereignty can pave the way to more frictionless expansion into new markets.

“Very few businesses in today’s connected digital economy are not looking towards a future of global expansion,” he points out.

He says with the inevitability of new regulations always on the horizon, it’s increasingly important to build on infrastructure designed to overcome these challenges.

“The global public cloud is the right substrate, but simply moving workloads built on legacy infrastructure to the cloud isn’t enough,” Kimball explains. “Instead, architectures must become aware of geographic realities -- for example, where must the data be domiciled, and where can it be processed in order to remain compliant.

This is a problem that extends from the database all the way up to the application logic which processes the data.

A Complex Environment Adds to Challenges

Businesses are running data across multiple third-party datacenters and clouds, which raises questions about where the infrastructure is and how to demonstrate that certifications and obligations are being met.

“It’s important that businesses select partners and multi-cloud providers who can certify on their behalf, since the organization is ultimately responsible even if someone else is enabling the transaction,” Conyard says.

He points to another interesting factor -- that some cloud providers are being barred from, or severely limited from operating in certain jurisdictions, which forces businesses to use more than one provider.

“For example, some cloud providers weren’t operating in Russia prior to the invasion of Ukraine, which was exasperated when increased restrictions were put in place because of the conflict,” he says. “This adds another layer of complication to businesses’ calculations around service provides.”

It’s a complicated landscape, which is why businesses must rely on highly competent partners, with the right certifications, who fundamentally understand that data sovereignty is not just a nice to have -- it is table stakes.

Kimball agrees careful selection of vendors that provide infrastructure purpose-built to exploit the cloud is a must, but an overreliance on any single cloud service provider (CSP) -- especially on CSP-specific infrastructure choices -- can lead to unacceptable vendor concentration risk.

“Investing to build a flexible, multi-cloud posture can also be an important prerequisite for expansion, as each cloud vendor has different strengths in presence across different geographies,” he explains.

Customer preference for where a service is hosted (the country or region, as well as in which public cloud) can also be a factor, especially where the customer is a business or a government entity.

CIO, Legal, Security Among Key Stakeholders

Kimball explains as demanding compliance requirements continue to evolve, the re-architecture of the tech stack to support the next generations of applications and services has become a strategic priority across the C-suite.

“The time horizon to realize the value of these investments is measured in years, or even decades,” he says. “We see this responsibility most commonly falling under the purview of the CIO, with significant execution from chief architects, IT compliance, procurement and legal.”

From Conyard's perspective, any large organization should have their privacy team involved in ensuring data compliance, as well as their security, IT and legal teams.

“Many companies are also relying on external counsel to help them navigate the unusual territories,” he adds. “While most large companies are familiar with the legal requirements and obligations in the countries they primarily do business in, compliance isn’t defined by national borders.”

This requires businesses to go to greater lengths to consider relevant jurisdictions and considerations.

They must also know their data -- what they have and where they have it -- to identify the appropriate requirements.

For example, if businesses have data that includes that of a European Union resident, they have an obligation to fulfill GDPR, no matter the country in which they reside.

“Looking forward, it’s crucial that businesses identify their guiding principles,” Conyard says. “The choice is doing enough solely to meet legal obligations, or using data compliance as an opportunity to demonstrate to customers and key stakeholders that they take privacy seriously and are a trusted organization in the long term.”

What to Read Next:

Preparing for Compliance With AI, Data Privacy Laws

Cloud Adoption in Financial Services: Risks and Opportunities

3 Ways Data Engineers Can Ensure Compliance