Data sovereignty expands beyond compliance boundaries

The new world of data sovereignty

The task for enterprise data leaders is challenging. On the traditional compliance side, they face numerous regulations that address elements of sovereignty but do not fully define it. Organizations navigating jurisdictional control of data do so without a single, authoritative global standard comparable to the EU's GDPR, which serves as a de facto data privacy standard.

"A clear GDPR for sovereignty doesn't exist," said Dario Maisto, a senior analyst at Forrester. "There is no legislation whatsoever in the world that tells you what sovereignty is and isn't."

Maisto said that some regulations, such as India's Digital Personal Data Protection Act, 2023, touch on sovereignty within specific domains but don't define it more broadly. The DPDPA applies only to digital personal data or data digitized after being collected, he noted. It focuses on data protection and permits cross-border data flows, except to restricted regions, Maisto added.

Another complication for data sovereignty efforts is physical risk to data centers and other technology infrastructure. Geopolitical conflict and natural disasters can strip organizations of jurisdictional control even when data is stored and processed in accordance with local laws.

For example, Iran on Feb. 28 began launching salvos of drone and missile attacks at the Gulf States in response to the U.S. and Israeli strikes against the country. The next day, AWS reported damage to data centers in Bahrain and the United Arab Emirates caused by Iranian drones. The attacks severely disrupted services at the facilities, and the cloud provider urged customers to migrate workloads to other AWS Regions in the U.S., Europe or Asia-Pacific, "as appropriate for your latency and data residency requirements."

"The geopolitics have shifted tremendously in the last few months," said Ron Babin, adjunct research advisor for IDC's IT Executive Programs. "As a CIO, that's something that you rarely have had to worry about -- having your data center as a target of military forces."

The threat to IT infrastructure and data, concerns about dependencies on foreign tech providers, and ambiguous regulations have drastically changed the nature of sovereignty.

"There is a paradigm shift going on in the market," Maisto said. "It used to be a data protection problem [and] a privacy-related issue. Now, instead, it is really about risk management."

Developing a sovereignty strategy

Against this backdrop, industry executives and analysts outlined frameworks and methods to help IT leaders operationalize sovereignty strategies.

Kyndryl, an IT infrastructure firm, in April launched a suite of advisory, implementation and managed services focused on sovereignty. Logan Wolfe, partner for global enterprise transformation, AI and sovereign tech strategy at Kyndryl, said the services reflect the new directions of sovereignty.

"The conversation has shifted, fundamentally so, from a regulatory compliance basis -- a box-ticking exercise, if you will -- to how can we apply [sovereignty principles and strategy] as a fundamental risk framework to operate resiliently," he said.

The Kyndryl framework spans three dimensions: data sovereignty, operational sovereignty and technological sovereignty. The data side focuses on where data is stored and processed and who can access it, Wolfe said. It also covers which regulatory regimes apply to a particular organization. Operational sovereignty involves an organization's ability to operate, maintain and recover systems without undue external dependencies. Technological sovereignty centers on limiting its dependence on technologies controlled or subject to interference by foreign governments.

A readiness assessment evaluates a business's posture across the three dimensions. This should spur a strategic discussion and produce an action plan on how to achieve specific sovereignty goals. Wolfe said those goals have different drivers, such as data and AI, operational independence and regulatory compliance. Each goal will have a different action plan.

IDC's framework focuses on sovereign AI, which includes data sovereignty. The framework covers core technologies such as data models, infrastructure and AI chips and extends to include sourcing of model training data, supply chain relationships and regulatory compliance. Geopolitics is included as a constraint.

Babin said CIOs, CDOs and other leaders need to determine where their organization stands regarding the jurisdictions where it operates and the applicable rules and regulations. That means understanding "the footprint of your organization, [including] customers, operating units and supply chains," he noted.

In addition, the organization's industry -- whether financial services, transportation, power generation or others -- will have specific AI regulations to consider, Babin said.

At Forrester, Maisto also cited AI's influence on data sovereignty approaches. Data resides in an infrastructure, flows through a network, is used by SaaS offerings and feeds into AI workloads and large language models, he said. At that point, technology and business users operationalize the data.

"That's where data sovereignty actually develops into six different domains: data, infrastructure, network, software, AI and people," Maisto said.

Across those domains, the specific sovereignty issue will drive a particular remedy, he added.

Implementing sovereignty controls

The strategy and planning work leads to the implementation stage, which focuses on controls -- the risk mitigation measures used to address sovereignty challenges.

Cloud platform infrastructure, which houses data and workloads, is a critical area for establishing controls. The sovereign instinct might be to keep all data assets within a locally owned and hosted cloud.

"A lot of people look at sovereignty and they think isolationism: 'We are just going to isolate as much as possible and create this digital fortress,'" Wolfe said.

But instead of dropping public clouds entirely, an organization can pursue segmentation as a design pattern. A business in the EU, for instance, could identify and segment sensitive data sets and workloads restricted to EU jurisdiction with tighter operational controls, Wolfe said. Other data sets and workloads could continue to benefit from global cloud scale, he added.

For example, a business might want to adopt or continue using a SaaS product that only runs on a particular hyperscaler's platform. Such cases make achieving full sovereignty a nightmare, Maisto said. Businesses operating in more than 100 countries, as some of his clients do, underscore the impossibility of the task, he added.

Maisto's alternative is what he terms "minimum viable sovereignty," which relies on workload assessment. Here, data and IT leaders identify workloads that absolutely require sovereign controls. The idea is to reserve the tightest control for the most sensitive workloads, while avoiding over-engineered protection for less sensitive ones. This method offers the ability to combine hyperscaler clouds, local cloud providers, private clouds and on-premises resources as appropriate.

With minimum viable sovereignty, organizations must determine whether a sovereign cloud is an available option for their problems, Maisto noted. Sovereign capabilities from hyperscalers and other cloud providers are entering the market at a quickening pace, so leaders need to check regularly for new developments.

If a sovereign cloud is available, the assessment shifts to cost. Maisto outlined some questions to consider: Is the sovereign offering more or less expensive than the non-sovereign version? If it's more expensive, does the sovereign option justify the cost?

In addition, organizations should weigh cost trade-offs between hyperscalers and local providers. Achieving sovereignty with a hyperscaler might prove more costly than working with a local vendor, Maisto said. But even if the local vendor is cheaper, change management and migration costs would still need to be considered, he noted.

Controls such as data vaulting and advanced encryption also play a role in building a sovereign architecture. With data vaulting, isolated and protected copies are created for resilient recovery, Wolfe said. Advanced encryption coupled with customer-controlled key management provides sovereign control over key access, he added.

Building AI models with sovereignty in mind

As AI becomes embedded in the bigger sovereignty picture, enterprises need to build AI models without moving raw data around by using techniques such as federated learning and secure multiparty computation. Fariba Wells, senior vice president of global government affairs and policy at Kyndryl, said she has seen some uptake for those methods.

"Adoption is growing but remains selective -- concentrated in highly regulated sectors where data movement is tightly constrained," she said.

Wells said the techniques align well with sovereignty objectives in that they allow AI models to be trained or refined without centralizing raw data -- directly reducing legal and regulatory exposure.

"Federated learning is the more mature of the two in enterprise settings," Wells noted.

That approach enables model training within local or sovereign environments while sharing only model updates or parameters across regions, she said. This lets organizations benefit from broader data patterns without violating data residency or access restrictions.

Secure multiparty computation and related privacy-enhancing technologies "show real promise" but are currently being applied only in narrow use cases due to complexity, performance overhead and integration challenges, Wells said.

Consistency and flexibility in sovereignty

Sovereignty programs aim to meet local requirements. But can they also achieve some level of consistency regarding policies, metadata, access control and quality checks -- even when data must remain in separate regions?

"The effective pattern is centralized governance with local enforcement," Wells said.

That is, organizations standardize governance policies, metadata definitions and control frameworks globally, then enforce them locally within each jurisdiction to respect sovereignty constraints, she noted.

Wells described centralized metadata and governance as the enabling layer. Here, business glossaries, lineage management and defined data stewardship roles give teams visibility into where data resides, how it's used and which policies apply, regardless of location, she said.

"The goal is not to eliminate fragmentation -- it's to orchestrate it," Wells said.

As a result, organizations maintain control while preserving the operational flexibility needed to run analytics and AI at scale, she said.

Given the changing regulatory landscape and evolving technologies, adaptability is a requirement for sovereignty.

"It's the optionality that is really key here," Wolfe said. "Every cloud and AI decision already has sovereignty implications. The advantage goes to leaders who make those decisions deliberately, instead of making decisions by inaction."

John Moore is a freelance writer who has covered business and technology topics for 40 years. He focuses on enterprise IT strategy, AI adoption, data management and partner ecosystems.