The IDC Cloud Pulse 2Q22 Survey noted that data sovereignty and industry compliance have factored highly in discussions about the future of their IT architectures, with just 4% of organisations indicating that their IT organisation will not be impacted by data sovereignty and compliance considerations.
"Among organisations that expect their IT budgets to increase in the coming year, the vast majority believe that data sovereignty and industry compliance considerations will strongly influence service provider selection decisions and decisions about their primary datacentre environments," said Chris Drake, senior research director, BuyerView research at IDC.
IDC expects data sovereignty and industry compliance considerations to be of increasing importance in decisions about the design, operation, and management of IT architectures (including the selection of cloud service providers).
FutureCIO spoke to Ian Lim, field chief security officer for Asia Pacific at Palo Alto Networks, on how data sovereignty elements are impacting operations across the organisation.
What is data sovereignty? Who is responsible for data sovereignty?
Data sovereignty is the idea that digitally stored information is subject to the laws of the country. The idea is I want to keep my data in my country so that my laws protect and govern the data that matters to me.
Executive leadership falls under the remit of general executive counsel, in most organisations. If they have a data privacy officer, it falls under their purview as well, and then very closely tied to the chief security officer and the CIO, who must figure out how to execute it technically.
When you have an organisation that has all of them, legal counsel, data officer, privacy officer? How do you manage this complexity of too many heads?
Typically, you have a committee that's driven by the data officer. It is his responsibility to know all the data regulations, not only around sovereignty but around privacy and protection across the region where they're doing business in.
He will probably call the committee together, to meet and figure out what issues, what countries, what applies to them, and how to do it most cost-effectively. Additionally, he also must make sure that it's consumer friendly. Most importantly, at the top of the agenda lies how the organisation can comply with these laws.
How important is data sovereignty? And in which countries or industries in Asia is it more actively observed?
"Data sovereignty laws are a bit of a double-edged sword because there needs to be deep consideration in terms of prioritising what to localise and what not to localise. This is so that you don't inhibit growth in the region."
Ian Lim
China has a very strict data protection law. We do have countries like Singapore, that are also considering laws for government-based data. Vietnam is putting sovereignty protection at the forefront of its data laws.
Countries like Malaysia and Indonesia are thinking about it and planning for it. Thailand and the Philippines are looking at it from a perspective of more data privacy, versus localisation.
What is driving some countries and some governments to implement data sovereignty?
I think a lot of it has to do with the idea that if I entrust my country's data into the hands of a different country's data centre, I'm subject to subpoenas that could essentially compromise my security.
Countries that are ultra-sensitive, and concerned about that level of infringement, are moving more closely towards data localisation and data sovereignty policies.
That said, I think some capabilities are built within these cloud service providers, like the idea of bringing your encryption key into a public cloud, which can enable you to essentially protect your data.
What would be the top challenges that organisations in Asia as regulators focus on data privacy and data protection?
Bar none is the diversity of these data localisation laws. When you're trying to implement something in different countries, that creates huge administrative costs and huge technology costs, and ultimately, the cost will be translated back to the consumers who are using them.
There should be a movement to harmonise some of the requirements here. This is so that you can fulfil an ADM 2025 Plan. I think that is one of the biggest challenges that corporations and companies will face when it comes to various laws.
Do you see low data literacy levels in Asia as a challenge?
If your question is about data sovereignty and localisation versus data literacy, the localisation laws impact multinational companies more than anyone else, versus your common consumer. They won't know where that data is stored, nor do they care.
This burden falls back on the chief data officer, the chief legal counsel, etc, to understand what it means, and then the CIO and the COO to understand how much this is going to cost, and how complicated this is.
We are seeing a shift to multi-cloud or hybrid in some cases, does this complicate compliance for organisations as far as data localisation?
Let's say, for example, Singapore’s index data localisation, or data sovereignty law. Singapore isn’t very big. Why would you want to do a multi-cloud or public cloud? One of the key reasons is resiliency. If anything happens in one region, your system is not down.
There are huge technical implications to these laws. That's why I don't believe that Singapore has outlined a strict data sovereignty law. But multinational companies have to consider how to do business continuity in certain aspects, with the use of multi-cloud and hybrid cloud when you're subjected to these laws.
Will Hong Kong face the same?
That's just one of many aspects, such as administrative overhead, the ability for you to now establish your commerce freely in the ASEAN region. For example, Indonesia, wants to do something with Thailand, wants to do something with Malaysia, and they want to have a credit card transaction or customer database that flows so that they have a seamless experience, whether they're in Thailand, Bangkok, or Indonesia. It just makes things more complicated. How do you balance this double-edged sword that we were talking about in that we want an advanced, seamless, digitised region?
As more organisations rely on business applications running in the cloud, some are observing that operating costs are exceeding expectations. How do you see this impacting data sovereignty efforts?
The problem with regulation at large is that if you don't comply, you're going to get into heart aches with your regulator, which might impact you in fines and in terms of your ability to operate, licensing, suspension, etc.
The burden falls on the CEO, the CIO and the CTO to say, these are your regulations. It comes to what the law is and how they interpret it, and how they can cost-effectively implement their technology to reduce FinOps costs as best as they can while complying with the law.
Do you see green initiatives impacting the local data or data sovereignty issues?
Instead of consolidating your infrastructure and your technology in the most cost-effective and ESG-compliant way, data sovereignty and data localisation law will say, no, I want you to stand up with the smaller data centre. So yes, consolidation helps reduce the environmental impact. They will have some impact on your ESG.
How do you see compliance and risk officers working with CIOs and CTOs to ensure that innovations are pursued while remaining compliant with evolving regulations?
One of the key areas that CIOs and CTOs can do is evolve your monolithic applications into more of a cloud-native architecture. It's almost looking at it from a macro versus micro perspective. Application-wise, you can now have the ideal situation, to be able to leverage the public cloud at large, to be able to do business continuity at large in multiple regions and to enhance protection.
When you start looking at multi-regional innovation, that whole idea of, for example, an app in Malaysia that can be used anywhere I want. That level of innovation can be hindered by data sovereignty.
For an organisation to have some level of success in complying with data sovereignty issues? What is your advice to the executives responsible for this effort?
"We need to get together and enhance the public-private dialogue. We must go back to this idea of harmonising requirements that meet the needs of the countries that we're doing business in, as well as balance it against the needs of the enterprises that must do business with."
Ian Lim
Let's reach out and collaborate, for a common interest, to talk to governments about harmonising these laws so that they are usable and easy to implement while protecting the requirements that are set forth to fulfil.