From data ownership to sovereignty, how CIOs must consider the impact on cloud service usage

The rapacious adoption of a diverse range of cloud services by commercial and public organisations has led many governments worldwide to ask, “Who owns data generated and/or processed within our sovereign borders?”. Trying to answer this question and legislate accordingly has become a challenge for all parties involved. According to the United Nations Conference on Trade and Development (UNCTAD), 137 of 194 countries now have legislation to secure the protection of data within their sovereign borders. For example, the EU has GDPR, China has PIPL, the USA has the CLOUD act, Brazil has LGPD, and Singapore has PDPA.

It has led to more significant, and often incorrectly interchangeable, use of the terms data sovereignty, residency, and localisation. Each focuses on distinct dimensions to the overall challenge faced by both suppliers (e.g., Amazon, Microsoft, Google, Salesforce, ServiceNow) and end-user consumers of cloud services within and across countries. Whilst there is much focus on these terms, it is essential to understand that CIOs face further challenges within their organisations regarding data ownership, lineage, and regulation. To help contextualise data sovereignty regarding end-user organisations consuming cloud services from suppliers, the following frames each of the critical areas:

• Data residency is where an organisation defines what geographical locations it will store the data pertaining to its services. For example, a cloud compute provider could provide a service within a country but locate the data in another.
• Data sovereignty refers to per-country laws that data stored within a country is subject to the laws of that country.
• Data localisation refers to per-country legal obligations, which may vary in stringency, for data created within its borders to reside there permanently and not be transported outside it.
• Data regulation is the impact on data of operating regulations within specific industries that are derived from industry bodies (which may be country-specific or global in nature) and/or governments. For example, food quality and transport standards in the grocery segment of the retail industry.
• Data lineage refers to an organisation’s ability to map the data journey from creation to motion, use, and rest. It allows a CIO to authenticate data provenance across an organisation. This is especially important for CIOs due to the growing use of automation, orchestration, and machine learning being applied to data and ensuring an organisation can establish an appropriate data security posture that meets client, regulatory, and governmental commitments.
• Data ownership is, in this context, focused on the role of an employee as an information/data asset owner within an organisation. A standard definition of which is a person responsible for ensuring specific data assets are handled and managed appropriately. Most importantly, asset ownership of data/information is not restricted to employees within an organisation’s IT function. Any employee identified as responsible for the creation and/or responsibility of data types becomes an owner. For example, sales team members are typically the asset owners of sales records on existing and prospective clients.

What do these mean for the CIO?

The first three areas most impact the cloud service providers rather than CIOs directly. A CIO will have data governance requirements that align with their organisation’s needs, regulations within their industry (in and across operating countries), data sovereignty, and localisation laws. A CIO will expect a cloud service provider to address meeting data sovereignty and localisation laws before considering their offering. This should be part of any Request for Information (RFI) / Proposal (RFP) process. For organisations that operate across and within geographic locations, this expectation of cloud service providers will be a crucial differentiator for a CIO during an RFI and RFP cycle.

However, the most significant cloud service data challenge is not sovereignty and localisation but lineage and provenance. The modern IT function now relies on many layers of software and services. The CIO is challenged to address data sovereignty and localisation for each cloud service they use and their interactions with non-cloud technologies. Many organisations now understand that data is as necessary a business differentiating asset as the service and/or product they provide. Due to this, organisations face cyber-security challenges from bad external actors (e.g., state, corporate, and independent) and internal inefficiencies and errors.

Many CIOs rely on a range of cloud services to enable their organisation to sell a technology service/solution, integrate with partner organisations IT systems/services, or expose data externally through an API gateway. This complex tapestry of how technology is leveraged places information security and data privacy as a core focus for a CIO. To this end, many organisations are required to be ISO 27001 certified (an international standard on managing information security) by their existing and prospective clients. CIOs can see existing clients leave without certification and prospects not considering the organisation’s offering.

It is essential then that a CIO, with a CISO, address data governance by focusing on the areas of ownership and lineage as outlined above. ISO 27001 is an instrumental framework to achieve this, irrespective of whether certification is sought, as it provides the CIO with a means to map data lineage and ownership. This, in turn, provides the CIO with a clear understanding of how the organisations’ data needs to be managed across cloud services—allowing a CIO to have a clear strategy to determine the contractual obligations required in support of data sovereignty and localisation when using cloud services.