The Rise of Sovereign Cloud
Cloud computing has become an integral part of many UK businesses and organisations, providing the ability to store and process vast amounts of data. However, with new regulatory controls, changes in international law, and an increasing focus on compliance; knowing where your data is stored and processed is essential. Sovereign cloud offers ways to address the concerns of regulatory requirements, data sovereignty and security.
A recent International Data Corporation (IDC) survey shows the continued growth in private and dedicated cloud deployments of around 25% globally between 2020 and 2024; private cloud comprising of around 40% . The benefits of Public Cloud continue to be compelling, and the capabilities and usage continue to grow; but as organisations become more discerning and aware of the many options, the reversal of migrations (or cloud repatriation) is not only being considered but is already taking place. We are also seeing Government Cloud strategies continue to evolve to “harness the benefits of cloud technology while making sure high standards of cyber security are met.”  such as the Scottish Government’s recent announcement for their own cloud platform service for the public sector.
In this blog, we will explore the concept of sovereign cloud and its potential benefits for UK industry.
What is Data Sovereignty?
The laws applicable to data and the legal rights of individuals about whom data is collected depend upon the physical location(s) of where that data is stored or processed as well as the nationality of the individual that it relates to. The UK, like many countries, has limitations on the transmission of data both within and outside its borders.
It is also worth noting the difference between data sovereignty and data residency. Data residency refers to the geographical location(s) where data is stored, whereas data sovereignty is focused on the legal and ethical implications of data collection, storage, and processing.
So where is my data?
A simple question which, in most cases, is not so easy to answer. Whether the term digital transformation is a part of your organisations’ strategy or not, everyday IT services are delivered from a mix of services such as Microsoft 365 and other productivity tools, video conferencing, online HR, payroll, accountancy etc alongside corporate networks, bespoke databases, and private file stores.
As the use of ‘as a service’ continues to grow, so does our reliance on the suppliers and service providers that deliver them. The services that you use may well state that your data remains in your country – that is great – but there are other considerations:
- Within the service they provide, there is likely to be provision for them to move those services and / or data to locations outside those boundaries for operational purposes within their respective platforms. Common examples are data backup, business continuity and disaster recovery that often move services to other geographic locations.
- There are situations where the data itself is not transmitted outside the boundaries specified, however metadata and / or items that could infer the data use or aggregation can be sent to be processed. I.e., the data is stored locally but is processed or moved in transit elsewhere.
- Are there circumstances under which your data can be accessed – for example US Authorities can access American-owned cloud services, regardless of which country the data is in, as they are subject to the provisions of the CLOUD Act, the PATRIOT Act, and the Stored Communication Act (SCA).
Coming up next…
Why is Sovereign Cloud important to the UK?