Why CIOs need to think about data sovereignty as part of their digital strategy

Will Venters is Associate Professor of Digital Innovation at the London School of Economics and Political Science

Image:
Will Venters is Associate Professor of Digital Innovation at the London School of Economics and Political Science

When cloud computing began to take shape in the mid-2000s, it implied that firms would no longer need to worry about their data centres' location. The promise that businesses could access their data and applications anywhere (with an internet connection) meant that business could reduce their reliance on-premises data centres.

However, fast forward to today and our new research paints a different picture. Presently, businesses take the location of cloud computing very seriously. This is because data is extremely valuable, but unlike tangible assets it can be freely copied and distributed, making it a highly risky asset to store. Yet, it is also only valuable when used which requires its copying and distribution.

Companies must therefore seek to, paradoxically, both secure their data and make it easily accessible. Consequently, companies and governments take data location very seriously - leading to considerable concern about data sovereignty for sensitive information such as personal, medical, financial and intellectual property.

Data sovereignty in today's era of digital globalisation and deglobalisation

Two contrasting forces are at work today, which make the data sovereignty challenge even harder - forces that academics Nambisan and Luo term ‘digital globalisation and deglobalisation'.

Digital globalisation recognises cloud computing has made it much more likely that companies will become global multinationals using global markets facilitated by internet platforms (for example, even tiny businesses can advertise and sell globally through platforms like eBay). Therefore, as they innovate, many organisations are becoming progressively more reliant on globally distributed and often fragmented cloud computing services - with significant impacts on how they ensure they meet data sovereignty requirements. And meeting those requirements has become more challenging because of the second force of deglobalisation.

We live in a world that feels ever more politically unstable. Weakening of the global order, the war in Ukraine, Brexit and populism are prominent examples, but nationalism and protectionism are growing in many countries, deglobalising large parts of our global economy in the process.

Data sovereignty demands are therefore, according to Milton Mueller, "putting multinationals at the mercy of potentially erratic political decision-making". Where data is located, physically and legally, has become a growing risky concern for CIOs as, for example, American and Chinese cloud hyperscalers' domination concerns the EU.

Similarly, global networks and connections can be severed - as gas pipelines were severed at the start of the Ukraine war - and as China limits internet access to its citizens.

Deglobalisation therefore places prominent pressure on CEOs as they develop their digital strategies.

Striking a balance

It is particularly important that, while CEOs and CIOs seek to balance data sovereignty concerns with digital opportunities in this deglobalising world, they think about their customers. Consumers are increasingly concerned about their privacy and the rise of what Zuboff famously called "surveillance capitalism." Furthermore, the rise of populism and nationalism reflect a shift in consumer attitudes towards this direction.

Take the NHS, for example. As the NHS looks to innovate and harness its globally unique dataset on 65 million patients, it must ensure that it is supported by the population it serves. Yet VMware-commissioned YouGov research in the UK this year suggests that 87% of the population believe it is important that NHS data be stored within the UK (this is a staggering 95% of the over 65s - the group who are much more likely to vote in elections).

It is therefore important that any data sovereignty strategy should consider balancing organisational desires, legal jurisdictional requirements and consumers' beliefs. It should also be noted that these three are closely intertwined. There are over 100 different standards for data sovereignty which must be addressed - all changing based on the political winds flowing in different countries - and evidenced by fines rising (e.g. Meta's €390m fine in Ireland) - and led by consumer voting preferences.

What can a CIO do in response?

Our research reveals the importance that many CIOs currently place on addressing these challenges when considering their digital strategies and cloud provision. However, focusing wholly on local datacentre provision (beyond foreign jurisdictional control and deglobalisation risks) can inhibit global growth. In response, we can see an interesting strategy of focusing on locally proximal, in-country, software, consulting and hardware solutions, while using standardisation and software to enable the management of these fragmented localised cloud estates - such that they can support globalised innovation and growth, while not falling foul to deglobalisation challenges.