We live in an era where the quality of customer service is the biggest driver that keeps customers from coming back to a brand again and again.
Part of that quality and what retains loyalty to a business is the unique and personal experience brands can offer. However, brands face a conundrum. For a business to provide a standout product or service, it needs to tap into customers’ data and use it to get insights that will help the brand build a personalised experience for its clients. Unfortunately, global businesses face many regulatory challenges when it comes to leveraging data that resides in different geographies.
This means that data sovereignty is a critical part of any IT strategy within a brand. With that in mind, what are the four simple questions that many ask around this subject?
What is Data Sovereignty?
If we look at the definition of data sovereignty, it is the concept that digital data is subject to the laws of the country in which it is processed. It applies to data regardless of its status – whether it is at rest, in motion, or in use. Therefore, businesses that handle and use data must comply with regulations and protect customers’ data. Plus, since GDPR focuses primarily on personal data, businesses must ensure that users are informed and consciously consent to the processing of their personal data, and the information they have on the use of this data is completely up to date.
This means businesses must incorporate data sovereignty into their cloud strategy if they are to offer that unrivalled customer experience and compete with leading brands in their industry. Yet, those that use cloud services are often unaware that their externally stored data doesn’t always belong to them. This is where data sovereignty comes into play.
Does My Data Set Up Internally Affect Data Sovereignty?
It’s important to clarify and take a step back to look at how data is currently being used in many brands. For many businesses to effectively use the data they have been collecting, the data needs to be of high value. This means, the data is clean, it is tagged in the right way, saved in the right location and clear of errors and typos so it’s searchable no matter what type of data it is. This allows teams to access and analyse business insights from virtually any data source without support from data teams i.e., the data mesh concept. Data mesh makes data accessible, available, discoverable, secure, and interoperable.
However, brands need to make sure they have considered data sovereignty if they are to mix or contextualise different data types. This will help their teams be more innovative, creating a smooth and customisable customer journey.
What Are the Key Rulings UK Companies Need to Be Aware of?
Recent data breaches which have hit the headlines educated the consumer about the importance of data protection and privacy. Most companies are also aware of the complications of transferring customer data between nations.
The most recent well-known case or ruling began in 2013 and dealt with country data sovereignty and corporate rights. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case. The data in question was located in Ireland, and the US congress later passed this as the Cloud Act. The act, as long as the request doesn’t violate privacy rights of the country the data is stored in, gives customers their right to data no matter where it’s saved.
Over here in the UK, the implications of Brexit are yet to be considered. British data protection law and a complication of data sovereignty is that organisational data is not only stored in the UK, but that data is bound by the laws of the nation holding the data.
Digital service providers (DSP) also have to be aware of The Network and Information Systems Regulations (NIS Directive) 2018, which were enacted in UK law and are often referred to as the ‘NIS Regulations’.
Another case – Schrems II; in 2020, the Court of Justice of the European Union (EU) issued a verdict that ruled that the EU-US Data Protection Shield, on which many companies relied on to transfer their data between the US and the EU, was invalidated due to concerns around surveillance by US state and law enforcement agencies.
Based on GDPR interpretations and rulings such as Schrems II, regulators need to take a pragmatic approach to secure the interests of their industries and consumers, while also not being overly cautious with low value data or processes.
How Businesses with a Global Customer Base Should Approach Data Sovereignty
While companies started looking at multi cloud strategies to prevent vendor lock in, they have more systems to manage with regulatory and legal complexity. So, to get this right, they must determine where the data is saved and whether it can be legally moved after being stored in a specific country under local laws. For example, if an organisation was running within a multi-cloud infrastructure, it could be in violation of multiple country data sovereignty regulations at the same time.
International data transfers under the EU GDPR can take place if the European Commission has decided there is an adequate level of protection, or the appropriate safeguards. Many companies are seeking international certification to demonstrate their compliance with GDPR and laws that relate to data security and privacy.
Businesses should also look to create a data protection strategy by researching, consulting, taking inventory, encrypting data, and developing a key scoping process.
Winning new customers and business in the digital age requires organisations to be innovative and to consistently respond to the ever-changing customer demands. Today’s innovative brands are adopting the data mesh concept which helps them keep data in motion so they can offer that unrivalled customer service using interactive data. However, getting data sovereignty laws right is the first step for businesses that want to mix or contextualise different data types to level up their business.
By Peter Reeve, VP Northern EMEA at Confluent.