(Source – Shutterstock)

If done right, data sovereignty may not be as complex as it seems

Data sovereignty is now the future for data management for enterprises around the world. As data sovereignty is based on the idea that data is subject to the laws and governance structures of a particular nation where it is collected, organizations feel it’s also the best way to have a trusted, global data ecosystem.

In fact, reports show that there is now an increase in global laws and regulations to reduce risk and preserve privacy, security, safety, and ethical standards. In Southeast Asia, countries like Malaysia, Singapore, Thailand, and others have come up with or are working on stricter laws to safeguard the data of their citizens.

To be precise, data sovereignty laws simply mean that if a company does business across different countries, the data it collects within each country could be under other protection requirements. The operational compliance response from enterprises will need to adapt accordingly.

With that said, the tech industry has also come up with a solution to meet the requirements of data sovereignty – the sovereign cloud. Design to deliver security and data access that meets strict regulatory requirements, the sovereign cloud is now becoming increasingly adopted by most countries.

In Southeast Asia, Singapore’s first sovereign cloud is being developed by Microsoft while Thailand is also working with tech vendors on this. In Malaysia, VMware is working with network provider TM to deliver the first sovereign cloud service in the country.

To understand more about data sovereignty, Tech With Asia speaks to Catherine Lian, Managing Director and Technology Leader, IBM Malaysia. Lian explains what are the main challenges businesses face when it comes to data sovereignty as well as how IBM is helping businesses deal with this.

What are the main challenges businesses face when it comes to data sovereignty today? 

As businesses continue to modernize by migrating their data to the cloud, there’s an increase in complexity around data access and ownership. Data sovereignty looks different for every country, and some nations are more restrictive than others. For example, some countries are considering requiring a company’s cloud to be operated and run locally and under their control only.

Our take is that data protection needs to be achieved through more international collaboration, not less. When different technical standards are codified into law in multiple countries around the world, this can result in divergent approaches to accessibility requirements and barriers to market participation. While governmental regulations are evolving at an accelerated pace to match the speed of modernization, global policies and regulations must be in harmony.

What complexities can businesses face when storing and managing data to meet compliance and regulatory requirements? 

data sovereignty

Catherine Lian, Managing Director and Technology Leader, IBM Malaysia

Amidst an increase in global laws and regulations designed to reduce risk and preserve privacy, security, safety, and ethical standards, businesses across the globe are navigating how to store and manage data to meet the latest compliance and regulatory requirements. For highly regulated industries, like financial services, addressing stringent compliance and regulatory needs is especially important as companies in this sector handle some of the world’s most sensitive data.

That’s why the need for a financial industry-specific approach is critical. For example, banks have been historically reticent to move mission-critical workloads to the cloud because their platforms were not built with industry-specific, financial regulatory compliance and security needs in mind. Today, they are in need of a different cloud – one that is secure to the core at each layer, scalable, and interoperable.

With built-in regulatory and compliance controls and industry-leading security, we’re helping some of the world’s largest banks move to the cloud with confidence with IBM Cloud for Financial Services. Designed to address the unique needs of the financial services industry. As we strive to de-risk the greater financial services industry, we’re enabling clients to use the IBM Cloud Framework for Financial Services on any cloud.

IBM’s open, hybrid cloud technologies make it possible for organizations to neutralize vendor lock-in, execute and store data where needed, and – in doing so –  we are addressing key concerns that are prompting enterprises to seek greater autonomy and control over their data.

When it comes to data ownership and accountability, what are the best strategies/tools businesses can use to ensure this?

For organizations, evolving regulations and growing legislation should serve as a reminder that data privacy and protection requirements can help proactively safeguard customer and employee data wherever it’s stored and shared.

As the focus on data ownership and accountability grows, data sovereignty is an evolving concept that organizations will need to be prepared for. Businesses must first understand the concept of sovereignty and specifically what definition of sovereignty is being employed.

While Sovereign Cloud is an emerging cloud operating model for the industry, sovereignty encompasses data privacy, data residency, and service locality. Locality entails moving all services to where the data is, potentially also running disconnected from the cloud, while residency requires moving the data handling services to where the data is, keeping it at the client location or within the target regulatory jurisdiction.

Each of these capabilities are topics related to sovereignty, and together they build toward the full vision of Sovereign Cloud, helping organizations meet the legal and regulatory requirements of a set of selected jurisdictions while running locally.

How is IBM Cloud helping enterprises and even governments deal with data sovereignty? Can you share some examples?

To promote trust, IBM has come together with other industry cloud leaders to develop Trusted Cloud Principles to drive innovation, improve security, and remain competitive in the new digital economy. We’re continuing to drive clients’ hybrid cloud journeys –with security and trust at the center of transformations – enabling enterprises and governments to bridge the gap between existing IT investments and ease cloud adoption for mission-critical workloads.

As data sovereignty requirements evolve, we’re bringing a secured, unifying layer of cloud services for clients across environments with IBM Cloud Satellite – regardless of where their data resides. This is essential to help address critical data privacy and data sovereignty requirements.

As we help clients on their journeys to address risk and compliance with the evolving landscape of data regulations, IBM Cloud’s focus is on building solutions that can help clients adhere to global sovereignty requirements – working with them both directly and through our ecosystem of partners around the world.

Some countries and tech vendors are now looking to the sovereign cloud as a solution. What’s IBM Cloud’s take on this? 

Against a backdrop of shifting economic and geopolitical forces, the proliferation of cloud technologies has introduced Sovereign Cloud – an emerging operating model for the industry that aims to help organizations meet the legal, regulatory, and operational requirements of a given jurisdiction. That is why the IBM approach to Sovereign Cloud is grounded in a long-standing conviction that we all benefit from enabling inclusive, open collaboration between like-minded partners who share similar values.

As businesses face growing data ownership and accountability requirements, IBM Cloud is committed to helping clients prepare while continuing to help them protect their data with high levels of security where data resides. On their journeys to diversify and reduce risk, a hybrid cloud approach can help.

Lastly, what would be the best way for countries to ensure data sovereignty is practiced? 

Countries are evaluating how to best mitigate risk and as a result, we’re increasingly seeing nations put regulations into place that are designed to help protect and control nationally generated data and assert countries’ rights to technological autonomy. We believe the primary objective of these policies is to protect data and the privacy of citizens, businesses, and government organizations against misuse, exploitation, cyber threats, and terrorism.

At IBM, we fully understand the desire for control and technological self-determination, the need for increased data protection to mitigate cyber threats, and the potential for undue interference in domestic affairs from outside forces.

To adequately address these substantive concerns and issues, governments and policymakers are best advised to favor a risk-based approach. By regulating certain high-risk practices, sensitive datasets, and critical industries, governments can ensure that data sovereignty rules are proportionate and effective, without inhibiting the potential for co-created and cross-border innovation in cloud, data, and security.

As organizations move further into their hybrid cloud journeys, a defined approach to Sovereign Cloud can help deliver the levels of security and data access required to meet specific local jurisdiction laws on data privacy, access, and control.