Resolving Cloud-Based Data Sovereignty Challenges

Technology leaders discuss the challenges around cloud-based data sovereignty and how they would advise navigate changeable regulations.

Cloud-based solutions have made accessing IT resources, files and entire systems much easier for those who require on-demand services at scale. This last point was made particularly acute during the two years of a pandemic whereby most of the world accessed their files and working day remotely, supercharging a flexible working model that benefited organisations with a mature cloud policy. Data sovereignty however is a key part of the protections that businesses and institutions can enforce to benefit users, clients and the industry as a whole. In order to work within the guardrails of those data sovereignty policies, however, takes time, work and investment in a changeable sector, one that also evolves differently across the world.

The panellists of this roundtable delve into the regulations imposed on their organisation’s cloud strategies, the strain on customer data, and how technology can be part of the solution.

With Mark Chillingworth moderating, the speakers of this roundtable include:

• Paul Scott-Murphy, CTO, WANdisco
• Katie Nykanen, CTO, QA Ltd
• Maritza Curry, Head of Data, BNP Paribas Personal Finance SA
• Detlef Nauk, Head of AI & Data Science Research, BT 
• Des Field Corbett, CIO, Allianz Direct

Regulations on cloud strategies

Moderator Mark Chillingworth kicked off the roundtable debate by asking the speakers: “How are regulations, imposed by governance, affecting your cloud strategies?”.

“It’s a very hot topic for us”, said Katie Nykanen, CTO at QA Ltd. She explained that her company currently has a solid base of UK customers. In addition to this, QA Ltd has a digital platform which is used by customers around the world. While this may seem like a win to some, Katie emphasised that this comes with its challenges. Clients are worried about accessibility, arguing that they can only use the company’s platforms if the data is stored in certain continents or countries. 

Katie expressed her concern around the legal requirements and the effects this could have on the organisation. “It’s just not feasible for us in our world to host our platform and therefore our data in multiple locations”, she said.

Paul Scott-Murphy, CTO at WANdisco, also described the challenges of dealing with customers and their data in different jurisdictions. He explained that part of WANdisco’s business is assisting their customers with data management and data movement to cloud environments. They found that, with the increase of regulations around data, customers are demanding more flexibility and how data is managed. He added that he expects the challenges around this to increase with time.

“We make sure this data sits in the UK and does not leave the UK”, said Detlef Nauk, Head of AI & Data Science Research at BT. He explained that BT started their cloud migration program two years ago as part of a digital transformation. Before this, data was stored on-site in the UK, BT’s main consumer base. 

While data from the UK is secured within the country, the situation is different with other customers. “It becomes more complicated for international business”, he said. He added that upcoming AI regulations are regarded as “challenging and interesting”.

Data sovereignty and the cloud

The speakers were asked what the best way is to protect customer’s data whilst leveraging cloud capabilities. 

Des Field Corbett, CIO at Allianz Direct, believes there is a “growing groundswell of best practice”. He added: “encryption keys that you provide to the cloud members - those kind of things are pretty well thought out”. Des has a more positive view of the data strategy situation compared to his fellow speakers. He explained here that if you’re not handling higher-tier personal data, such as health information, technology leaders can “find mechanisms to overcome any kind of legislation concerns”. 

On the other hand, he mentioned that when dealing with other jurisdictions outside Europe, the process tends to become more complicated.

“There isn’t a one size fits all”, argued Maritza Curry, Head of Data at BNP Paribas Personal Finance SA. She pointed out that different cloud strategies and approaches can be used for different use cases. “This is where you want a multi-department view and here you also want the business involved”, she said. 

While having the support of the business, Maritza explained, the data owners are the ones who are guiding you on the sensitivity of the data. She wants technology leaders to be asking these owners questions such as: Are they comfortable with moving their data to the cloud?. She believes these conversations need to be embedded in the risk committee agenda to keep things within your data sovereignty methodologies running smoothly.

Technology and the customer

When it comes to protecting the customer, Detlef believes it boils down to a governance question, not a technology question. 

“We are working with legal, regulatory and strategy to prepare these kinds of procedures”, he said. In addition to this, he added that BT is making sure that they have strong governance processes combined with data ethics and responsible tech governance. His reasoning behind this was to make sure that people are aware of these questions around technology and governance.

Paul argued: “There’s no reason to say that technology can be the sole answer around regulations on data privacy”. He referred to the best practices side of things later on. Paul stated that people would be “foolish” to believe that they can dictate this around managing customer data effectively. Organisations, he argued, should always keep flexibility in mind when managing the data they have at hand. He noted: “I know best practice tomorrow will not be the same as best practice today”.

This roundtable on data sovereignty was recorded at The Studio and made in partnership with WANdisco. To find out more about The Studio, click here.