Data sovereignty: an existential issue for nations and enterprises

Data has long been recognized as an organization's most valuable asset, arguably more important than physical infrastructure or even brand. This is reflected by intangible corporate assets, primarily data including R&D and intellectual property, exceeding $60 trillion in value in 2024.

When used effectively, data unlocks competitive advantage, new markets, better decisions, and helps deliver transformative customer experiences.

Given how critical data is to the day-to-day operations of modern businesses, it needs to be managed, and safeguarded, more than ever. As global geopolitical uncertainty persists, the topic of data sovereignty has become top of mind for governments, regulators, and businesses.

Data residency, data sovereignty

Defined as the principle that data is subject to the laws and governance structures of the country in which it is collected or stored, data sovereignty concerns who has the authority to dictate how data is managed, accessed, and used, particularly in an increasingly interconnected and data-driven world.

For a long time, companies believed data sovereignty simply meant where their data resided, but amid geopolitical shifts and AI’s impacts, organizations now need to distinguish between data residency – where data is physically stored, and data sovereignty – who has legal jurisdiction over that data.

Data sovereignty risks; a perfect storm

Today, new risk factors are reshaping the data sovereignty landscape and pose new questions over access to and use of business-critical data.

Geopolitical conflicts, emerging regulations, international competition and the desire for tighter control of data to power innovation, are forcing company leaders to reconsider their business-critical data’s location, who has authority over it, and how this impacts operations.

Until recently, the idea that an organization's digital operations or services could be interrupted by a third-party ‘kill switch’ would have seemed impossible. However, conditions now exist for governments or global businesses’ core operations being interrupted or revoked without warning via foreign laws or regulations.

Examining three factors in particular shows that service disruption or outages are no longer just hypothetical.

Geopolitical tensions

As conflicts between countries and economic sanctions increase, nation-states are restricting the flow of goods, services and data, trade, collaboration and free information exchange. OECD/WTO research estimates that disruptions to cross-border data exchange alone could reduce global GDP by 4.5%.

Today’s uncertain geopolitical landscape has introduced a heightened risk of service disruption for organizations that depend on services from non-domestic providers—stressing the importance of considering where data is located and managed and where services originate

Regulatory pressure

Law-making bodies have in recent years sought to regulate data flows to strengthen their citizens’ rights – for example, the EU bolstering individual citizens’ privacy through the General Data Protection Regulation (GDPR). This kind of legislation has redefined companies’ scope for storing and processing personal data.

By raising the compliance bar, such measures are already reshaping C-level investment decisions around cloud strategy, AI adoption and third-party access to their corporate data.

Critical infrastructure

Changes in individual governments’ policies are causing uncertainty for cross-border data governance, cloud access and international regulatory harmonization.

Across all regions, organizations are seeking greater control, visibility, and jurisdictional alignment in their data infrastructure – not just for compliance, but for achieving business objectives, operational resilience, and maintaining trust.

Many enterprises are re-evaluating their supply chain and infrastructure locations, vendor jurisdiction, and legal risks, especially when operating in heavily regulated sectors such as healthcare.

Leaders rethink risk

New research commissioned from the University of Technology Sydney (UTS) examined enterprise leaders’ views of the changing landscape. It shows how data sovereignty has moved from a background compliance requirement to a board-level priority.

There was universal agreement (100% of respondents) that sovereignty concerns, such as service interruption, have forced their organization to review where data is located. More than nine out of ten (92%) said geopolitical changes have increased the risk of enterprises failing to fully address data sovereignty questions.

Company leaders fear their data sovereignty could be compromised: 92% fear reputational damage, and 85% fear they could ultimately lose customer trust.

Faced by anything from potential service outages to existential threats to their business, leaders have acted: 78% are embedding sovereignty in core processes, migrating from multiple service providers to investing in sovereign data centers, and putting governance clauses in contracts.

Containing data sovereignty risks

Faced with dynamic data sovereignty risks, enterprises have three main approaches ahead of them:

First, they can take an intentional risk assessment approach. They can define a data strategy addressing urgent priorities, determining what data should go where and how it should be managed - based on key metrics such as data sensitivity, the nature of personal data, downstream impacts, and the potential for identification.

Such a forward-looking approach will, however, require a clear vision and detailed planning.

Alternatively, the enterprise could be more reactive and detach entirely from its non-domestic public cloud service providers. This is riskier, given the likely loss of access to innovation and, worse, the financial fallout that could undermine their pursuit of key business objectives.

Lastly, leaders may choose to do nothing and hope that none of these risks directly affects them. This is the highest-risk option, leaving no protection from potentially devastating financial and reputational consequences of an ineffective data sovereignty strategy.

Ensuring data sovereignty

Given today’s converging geopolitical, regulatory and operational risk factors, company leaders have quickly grasped that data sovereignty no longer equates to data residency; it is a more complex principle, encompassing legal authority over data, how it is accessed or shared, and whose jurisdiction it falls under.

True data sovereignty goes beyond physical location to include operational control, governance, and an organization having full authority over its complete digital ecosystem.

Forward-looking companies can successfully navigate data sovereignty challenges by implementing data strategies that define what data should go where while managing all relevant infrastructure, partner, supply chain and regulatory risks.

We've featured the best data visualization tool.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro