Data Sovereignty: A Tale of Two Stories
Intralinks co-sponsored a roundtable — hosted by Economist Events — aiming to understand how the industry is reacting to growing data sovereignty concerns.
13 April 2016
On Thursday 7 April, I attended a roundtable — hosted by Economist Events — aiming to understand how the industry is reacting to growing data sovereignty concerns. Included in the discussion were leading experts from some of the world’s best-known companies. It was clear from the conversation however, there are no straight solutions to these concerns.
We have two stories emerging in the data sovereignty debate in my view: the legal story and the technology story. I really noticed the presence of both in the debate today.
On one hand you have the legal and compliance story. We debated whether standing up datacentres in hundreds of countries is a bad strategy, despite the law favouring that approach whilst legal data access rights is argued out in court. Right now there are very few data residency laws forcing companies to store their data in a specific country, so I argued companies just want their data stored near them for peace of mind. As you can see, for the most part it’s an emotive motivation for data sovereignty, not a legal one. It was also argued today that regulations have a degree of flexibility because technology will advance over time, but in my view, different countries take data privacy directives more seriously and more prescriptively than others which, again, can cause issues.
As the discussion unfolded, I eventually argued the importance of something different. Over time, the “logical location” of data should prevail. “Logical location” is where the point of encryption resides. You can’t see data in a datacentre if it’s a scrambled jumble of letters and numbers; the encryption key unlocks the information. This takes the legal story to a technology level — a level at which we won’t be for some time until the law catches up.
If we look at the broader technology story, the main challenge that was brought up today was security. It was said that migrating from large-scale datacentres to a distributed model is enabling the data sovereignty movement, but adding more datacentres to the planet will bring up concerns about security — and securing data-at-rest, data-in-use and data-in-motion. Data is in use or moving around all the time; it doesn’t just sit in a datacentre. The legal world may be thinking about storage at a basic level, but technologists and compliance officers have a bigger challenge when trying to secure data — in all three states — from hackers and human error.
Speakers today agreed that human error can be limited, but it requires stringent information governance policies. A key problem is that companies are tierring their data in such a way that they are unnecessarily spending money. Data privacy regulations are there to protect personally identifiable information, but public information and other sensitive data doesn’t necessarily fall into that category. Categorising all data as one tier — so sensitive data for example — will cause you more headaches and more money, because not all your data is sensitive. Tierring data appropriately is critical.
My chief takeaway from the discussion last week is nobody has all the answers. No cloud provider will have all the answers, and no company will have all the answers. We’re all thinking along similar lines though — we’re looking to technology to help solve a legal problem but have yet to unite the technology and legal stories properly. Hopefully both technology and law will meet somewhere in the middle soon.