Cybersecurity insights from industry experts.

Considerations for Managing Digital Sovereignty: The Executive Perspective

Business leaders must frequently balance the advantages of cloud computing and the free flow of data across geographic borders with the need to abide by local laws and regulations.

4 Min Read
cloud against a ball background
Source: JL via Alamy Stock Photo

Businesses value the availability, scalability, and reliability of the cloud. They recognize that cloud computing can enable data to flow freely to where it needs to be accessed and processed, providing a huge advantage for organizations that operate on a global scale. 

However, the rise of cloud computing, coupled with the broader movement toward the "internationalization" of data, has led to a corresponding increase in scrutiny of data governance and how to ensure relevant digital sovereignty requirements are met.

Digital Sovereignty: Challenges and Solutions 

When considering whether to expand your business to a new country or to offer services to a new customer base, it's critical to assess the impact of digital sovereignty requirements. Those requirements vary based on which regulatory regimes apply, but broadly fall into three pillars: data sovereignty, operational sovereignty, and software sovereignty. Compliance may be achieved using multiple mechanisms, including sovereign cloud solutions powered through local partners or sovereign controls.

Consider Europe's General Data Protection Regulation (GDPR) and Brazil's General Personal Data Protection Law (LGPD) as two examples of specific regional privacy regulations that give individuals more control over how their data can be used, accessed, and stored. Similarly, legislation in Germany goes a step further, by regulating the public sector's use of cloud and requiring cloud providers to attain specific local certifications. And the Kingdom of Saudi Arabia has also promoted a data protection law that regulates, and in certain cases prohibits, cross-border data transfers. 

Organizations may find themselves challenged both to pursue digital transformation initiatives and to meet different customer data privacy and protection requirements. For instance, companies may want to enable certain features or functionalities that impact the manner in which customer data is processed or stored, but find that their technical partners are unable to provide the assurances they need to operate in compliance with local laws and regulations. 

Cloud providers can take a leading role in helping organizations navigate questions that arise from digital sovereignty challenges by providing products and services designed with digital sovereignty in mind, for instance by enabling visibility into where, how, and by whom customer data is accessed and stored. 

In certain cases, the way to achieve compliance with digital sovereignty requirements may be to partner with a local company to meet data storage or access requirements, such as via encryption key management or air-gapping. Cloud providers can make establishing such relationships easier by serving as enablers for impacted companies in fulfilling their requirement to engage directly with such a local entity.

The Executive Perspective on Digital Sovereignty

So what steps can leaders take to proactively support compliance with digital sovereignty requirements?

First, identify whether the jurisdiction you're looking to operate in has a digital sovereignty requirement. Your legal, compliance, privacy, and data governance teams can advise on whether such a requirement applies and, if so, what it entails. Next, work with your IT and data governance teams to ensure there's a clear understanding of where and how customer data is stored, which workflows impact customer data access, and whether any revisions may be needed to comply with applicable local rules. You'll also need to engage with critical partners such as cloud service providers to determine whether there are capabilities available that can support your compliance requirements. 

Take digital sovereignty considerations into account before establishing operations in a new territory or expanding services to a new customer base. Mergers and acquisitions, new business relationships, or even the hiring of a remote employee in a new location can trigger the need for compliance with new local regulations. Ensure you're asking the right questions before making these decisions, including: 

  • Will this business change expose the company to new data sovereignty rules or regulations?

  • If so, has a comprehensive risk analysis been performed to assess these requirements relative to current state controls and to identify potential gaps?

  • So our technical partners or cloud service providers offer solutions that can help us meet these new compliance requirements? 

  • What changes to internal processes may we need to make to comply with these new requirements? These may include process workflow changes, revisions to applicable policies and procedures, staff training, and revisions to regulatory change management processes, to name a few.

  • Given the impact of these requirements, is the business case for proceeding sound?

  • Has a cross-functional group been identified to manage the identification, definition, and tracking of these requirements? Consider obtaining independent verification of compliance, as well.

The legal and regulatory environment is a dynamic and often challenging space to manage, given the local nuances that can result in a patchwork of overlapping yet inconsistent requirements. The companies that succeed in the years to come will be those that best position themselves to effectively navigate the myriad local rules and requirements of the jurisdictions in which they operate. 

Read more Partner Perspectives from Google Cloud

Read more about:

Partner Perspectives

About the Author(s)

Marina Kaganovich

AMERS Financial Services Executive Trust Lead, Google Cloud Office of the CISO

Marina supports Google Cloud’s financial services customers in the Americas on Trust topics throughout their cloud journey, focusing on regulatory compliance, risk management, governance and oversight, cybersecurity and privacy.

Prior to joining Google, Marina held Legal and Compliance roles on Wall Street, overseeing the broker dealer compliance program at Thomson Reuters (now Refinitiv), leading US Compliance for the Technology, Human Capital Management and Corporate Services divisions at Goldman Sachs, and most recently, running the Digital Compliance team at BNP Paribas where she specialized in advising on emerging technologies including AI/ML and digital assets, and oversaw programs related to cybersecurity, data privacy, and cloud digital transformation initiatives.

David Homovich

Office of the CISO, Financial Services, Google Cloud

David is in the Office of the CISO at Google Cloud where he shapes cloud security and risk management practices for the Financial Services Sector.  He has over 15 years of experience implementing security policies and strategies, protecting information assets, preparing and testing incident response plans, and developing security protocols.

David helps customers reduce operational risk by ensuring organizations have the people, technologies, and processes in place to enable business operations while preventing, detecting, and responding to threats. He also specializes in advising on compliance to laws, regulations, and standards that govern information security, including ISO, NIST, and FISMA frameworks.

Before Google, David worked in both the U.S. government at DoD and DHS and the financial services sector at JP Morgan Chase and Credit Suisse.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights