Data Sovereignty

Data sovereignty refers to the authority to dispose of data and serves as a collective term for the many facets associated with the processing of digital data – including data protection, encryption, transmission, and storage. Anyone who stores data in the cloud or uses IT services from external service providers must ensure appropriate data protection measures and familiarise themselves with the legal regulations. What are the requirements for data sovereignty and how do you maintain it?

Data sovereignty is a legal term that refers to legal guidelines relating to data. It is closely linked to data protection, cloud computing, and technological sovereignty. Data sovereignty laws create rules for the authority of governments and companies to dispose of digital user and business data. Data sovereignty thus refers specifically to the following questions:

• Who owns the data?
• Who is allowed to store the data?
• How can data be stored?
• How can data be used?
• How is data protected?
• What happens in the event of data misuse?

Because a growing number of small and medium-sized companies appreciate cloud computing, i.e. the outsourcing of company data and technology to external servers, the importance of data sovereignty cannot be underestimated. If servers are located in countries where data protection guidelines do not meet European standards, the question of data sovereignty should be clearly clarified.

The advantages of cloud computing are well known. However, as soon as sensitive data is not stored in-house but on external servers and possibly in other countries, questions over data security and data ownership arise.

Unless contractually stipulated, third-party providers may be allowed to analyse and sell data. In the EU, companies that process personal data are obliged to guarantee the highest level of data security. Therefore, verifiable data protection and modern compliance guidelines are essential. Both for companies that outsource their IT and for companies that provide IT services. If a company loses or neglects data sovereignty, this can have serious legal consequences.

Data can take on the following three stages online, in enterprise networks, and in the cloud:

• Data-in-use: Data currently in use
• Data-in-motion: Data currently being transmitted
• Data-at-rest: Data stored locally or in the cloud

Data sovereignty used to be discussed primarily in connection with data-at-rest, i.e., stored data. Today, different standards apply: data security, revision security, and data sovereignty apply regardless of storage location, especially when external providers process company data. Companies must retain data sovereignty for all three stages. This high standard of data protection can be implemented using encryption software that ensures only select companies can decode sensitive, encrypted data.

In times of digitalisation, public sector companies and those operating as part of the free economy must observe two basic rules to guarantee data security:

1. IT infrastructure must be secure, flexible, and up to date at all times
2. Data sovereignty over customer, user, and business data must be guaranteed.

Once appropriate safeguards and contractual arrangements are in place, companies can protect trade secrets and process personal data in accordance with EU data protection directives. Companies should always know how third-party service providers handle data and what rights of use they have. Since there are also legal uncertainties and grey areas when it comes to data sovereignty, it should be contractually regulated what happens to data and how it is stored, processed, and transferred.

An example:

If a production company wants to increase its performance, it can use the cloud and web services of a managed service provider. Via data analysis, this provider could, for example, make forecasts on maintenance tasks and determine the company's optimisation potential.

Although the commissioning company should have data sovereignty in this case, this does not mean it necessarily has access to all data analyses of the commissioned company. Unless otherwise contractually agreed, parts of the data could also be reused or sold to third parties. Here, a lack of data sovereignty creates a security risk and a competitive disadvantage for companies.

Small online retailers or large-scale producers – the evaluation of customer and business data is important to allow businesses to quickly adapt production and services to meet customer expectations and behaviour. Since it has become near impossible to hermetically seal off data from third-party access, legal frameworks are required. In addition to individual contractual arrangements between clients and service providers, national and international data protection regulations such as the EU General Data Protection Regulation (GDPR) are guidelines for data sovereignty.

A general data protection law that sets out basic guidelines for the protection of personal data does not exist in the USA. While there are specific data protection regulations for industries in the EU, data protection here is based on the voluntary commitment of US companies. In addition, US authorities have extensive powers of disposal over data. If UK companies use the services of American cloud providers or web service providers, data protection gaps can arise.

According to the GDPR, companies that process personal data must take ‘appropriate technical and organisational measures to ensure a level of protection appropriate to the risk’. Data protection and data sovereignty present as complex tasks for companies. In particular, balancing the protection of corporate data, personal data, and a strong market position can be difficult. Since the GDPR focuses primarily on personal data, companies must ensure that users are informed about and consciously consent to the processing of their personal data. At the same time, the analysis of user data is a crucial success factor for digital companies.

In order to harmonise data sovereignty, data protection, and corporate success, it is advisable to hire data protection officers to oversee your company's data sovereignty. In addition, it should be clarified which data protection and data use guidelines third-party companies and partner companies have. A privacy policy is obligatory and should transparently communicate your measures to securely process data. Essential technical and organisational measures include:

• Pseudonymisation and encryption of data
• Confidentiality and integrity of systems
• Technical resilience of systems
• Recovery and availability of data after technical emergencies
• Regular review, assessment, and evaluation of protective measures
• Compliance with and incorporation of data protection measures by employees

UK data security measures are on par with European counterparts.

The European initiative for high-security, privacy-compliant, and market-ready data infrastructures is called Gaia-X. Gaia-X is partnering with IONOS Cloud and others to work on a data infrastructure that will become Europe's alternative to cloud computing services provided by the likes of Amazon, IBM, Google, Alibaba, or Microsoft. This would allow companies to securely process data via intra-European computer centres, ensure data sovereignty, and prevent the outflow of industrial and personal data to non-European actors. The infrastructure aims to be based on transparent, freely selectable network nodes and data centres whose attributes, capabilities and requirements are clearly communicated. Customers should be able to switch providers effortlessly without becoming dependent on web service providers and managed service providers or through cloud and vendor lock-in.