Philip Ingram MBE explains why data sovereignty is becoming a critical issue for organisations moving security and IT systems to the cloud.
Over 25% to 44% of organisational physical security setups are currently in the cloud or use a hybrid approach, with adoption rapidly increasing.
Roughly 92-98% of businesses use cloud solutions for general IT and 75% of security leaders plan to transition to cloud-based physical security within 12 months says a report quoting the CCTV company Verkada.
The key to understanding wider risks from cloud-based systems is as much about data sovereignty as it is cybersecurity.
According to an average from several studies only 35% of organisations have full visibility into where their cloud data is stored and governed.
This surprising gap becomes especially concerning when you think over that the UK’s digital economy relies on technology in government institutions and healthcare services.
A survey published in Data Centre Magazine reveals that 78% of UK IT leaders now prioritise sovereignty when selecting technology partners.
Yet many organisations operate under dangerous misconceptions about data sovereignty and believe that choosing a UK cloud region guarantees compliance.
Data sovereignty refers to the principle that digital information is subject to the laws and regulations of the country where it is store.
We collect data in Spain and store it in the United States, so we must comply with both nations’ legal frameworks. This isn’t just about physical location.
The country where data resides holds jurisdiction over how that information can be accessed, used and protected.
Three related but distinct concepts often create confusion. Data sovereignty means data is governed by the laws of its storage location.
Data residency is just the actual physical location where data sits.
Data localisation refers to governmental policies that prohibit transferring data outside specific borders.
These differences matter because choosing a UK data centre doesn’t mean we’ve achieved sovereignty automatically.
Cloud computing complicates data sovereignty fundamentally.
We use cloud services, so our data may physically reside in data centres in different countries, each with its own legal framework.
A provider might promise our data “never leaves the EU,” but jurisdiction follows ownership, not location.
The U.S. CLOUD Act exemplifies this challenge.
Passed in 2018, it allows American law enforcement to compel U.S. companies to provide data stored abroad, whatever the physical location.
This creates direct conflict with GDPR Article 48, which states that court orders from third countries are only valid if based on international agreements like Mutual Legal Assistance Treaties.
A U.S. based provider managing data in Frankfurt can still be required legally to hand it over to American authorities without involving European regulators.
Geopolitical risks compound these concerns.
Research shows that 84% of UK IT leaders worry geopolitical developments could threaten their control over data and access to it.
Trust in major technology providers has fractured. 43% of UK IT leaders state they do not trust Big Tech with their data.
Non-compliance carries severe consequences.
GDPR regulators have issued over €4 billion in fines since its inception.
Organisations now navigate compliance in more than 130 countries, each with distinct requirements.
Sovereignty failures create operational disruption and reputational damage that go past financial penalties.
Survey data by Everpure, reveals that 100% of industry leaders confirmed sovereignty risks have forced organisations to reconsider data locations.
92% warned that inadequate sovereignty planning could lead to reputational damage.
The stakes extend past compliance. 68% of respondents say stronger UK/EU compliance would make them choose non-U.S. providers, so sovereignty becomes a competitive differentiator that affects market access and customer trust directly.
Selecting a UK cloud region provides no guarantee that data remains within British borders.
Microsoft admitted to Scottish policing bodies in June 2024 that it could not guarantee UK policing data hosted on its public cloud infrastructure would stay in the UK.
This revelation exposes a systemic problem about regional data storage.
Cloud providers enable geographical region selection, but data may be processed or transferred internationally in specific situations.
Microsoft’s own documentation confirms that personnel located outside a specified geographical area may operate data processing systems within that region remotely.
Several Azure services store certain data outside the customer-specified location.
Encryption strengthens security but doesn’t resolve data sovereignty compliance requirements.
Encrypted data remains subject to the laws of the country where it resides.
The provider may still access data under the host country’s legal jurisdiction if encryption keys remain available to them.
Organisations must control their own encryption keys held outside the vendor’s infrastructure for encryption to support sovereignty.
Encryption merely asserts sovereignty rather than delivering it without this control.
Providers’ sovereignty protections differ substantially.
A cloud provider subject to U.S. jurisdiction can receive lawful orders to submit data whatever the storage location, even if companies host data in the EU.
The U.S. CLOUD Act permits American authorities to access data stored abroad by U.S. based companies, even in jurisdictions with stronger privacy protections.
This article was originally published in the April edition of Security Journal UK. To read your FREE digital edition, click here.
