Geopolitics and the cloud: how data sovereignty is shaping cloud decisions

As a business you want to implement cloud solutions that are efficient, value-adding, scalable, secure and strategic. While you might carefully select your providers and services based on factors like cost, network resilience and security to meet these needs, in the ever-evolving geopolitical landscape of the information age, data sovereignty is also a consideration that should be high on your agenda.   

Data sovereignty dictates that your data is subject to the laws and governance of the nation or state where it is stored or collected. As data becomes an increasingly important commodity for countries and organisations, varying rules and regulations about data processing in the cloud are more and more common, and often complex. If your organisation operates across multiple countries and sectors, you will need to consider how you’re going to adhere to the relevant compliance and regulations for data processing and data transfers across borders.  

Geopolitical factors you need to consider 

Significant geopolitical events can cause seismic shifts in laws, policies and economies, so it’s prudent for organisations to keep their finger on the geopolitical pulse to be able to respond and adapt to policy changes quickly and compliantly.   

For example, Brexit raised a lot of questions for UK organisations with cloud storage or data journeys to multiple locations across the EU. As of 2021, the UK became a ‘third country’ under the EU’s GDPR and this regulation no longer applied to the UK – so how are organisations staying compliant post-Brexit? Although the GDPR no longer applies to the UK, it has been instated in law as the UK GDPR, which maintains the same rules as the EU, however the UK does have the authority to review it at any time.  

In addition, last year the EU did approve the UK for ‘adequacy’ under the GDPR which means, currently, data can move as it did before with just a few exceptions. However, this status is subject to regular review, with the current adequacy approval expected to last until June 2025. Brexit certainly raised questions around cloud hosting models, and while currently regulations have enabled data hosting, storage and transfer to continue as it did before across the EU/UK, this geopolitical event demonstrated just how quickly the goalposts can change. As an organisation you need to be considering appropriate safeguards, and ensuring that enforceable data subject rights and effective legal remedies for data subjects are available and flexible for future policy changes.  

Industry impacts: making strategic cloud decisions    

For organisations across sectors data sovereignty will be a crucial decision-making factor. However, many are still at the whim of the cloud providers and the absence of a UK-owned hyperscale cloud provider means many UK organisations are seeking cloud services from US-owned companies by default.  

This obviously complicates data sovereignty, security and governance and for compliance-heavy sectors, it’s worth thinking strategically about how you utilise and implement your cloud environments.   

  • Public sector 

For public sector organisations that require hyperscale cloud solutions, there may be a fine balance to strike between data sovereignty and security. While there are sovereignty concerns about sensitive information of UK citizens being stored with US-based companies such as AWS, experts have suggested that accidental exposure of sensitive information would be a far greater risk. These organisations then need to be looking at investing in cloud solutions with the infrastructure and services to deliver top-tier security.  

  • Finance and legal 

For compliance-heavy organisations in the finance and legal sector, colocation and private cloud options will still be a strategic necessity in digital roadmaps. While the finance sector is adopting AWS and other public cloud native services faster than legal, the majority of organisations will still have legacy systems and business applications that are not suitable for a public cloud model.  

  • Tech 

In the technology sector cloud solutions will be beneficial for significant data-sharing across borders. But these organisations will still need to think strategically about what data resides where and will need to ensure that all data flowing through its systems is protected and compliant.  

How can you make sure you’re adhering to regulations? 

Implementing cloud solutions can be significant, complex projects for organisations as part of a wider digital transformation, and it will be critical that the right decisions are made at the right time to mitigate any considerable risks.  

What can happen if my organisation doesn’t meet regulatory standards?

  1. Fines 
  2. Damage to reputation
  3. Loss of intellectual property 

 To ensure you’re adhering to necessary regulations, a dedicated team should be assessing risks and monitoring compliance consistently throughout your cloud journey. Headed up by the CIO/CTO with input from multiple departments – security, legal, risk analysis, procurement – your organisation should assess workloads and evaluate where they are best placed to operate (e.g., cloud vs. on-premises). Consistent and dedicated management and monitoring of cloud systems will also be essential to ensure you continue to meet the potentially fluctuating requirements of data sovereignty. 

The future of data sovereignty 

Strategic and responsive approaches to data sovereignty will continue to be necessary in the future, and with developments like Gaia-X (an open, transparent and secure digital ecosystem), where data sovereignty is a core product principle, it is clear that this is as much a want as it is a need for many organisations. While in some cases organisations will have to choose cloud solutions strategically to manage costs, service delivery and data sovereignty, the latter looks set to be a significant driving force for future cloud decisions.