Ad Image

How to Plan for Data Sovereignty in the Age of AI

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise tech. In this feature, Reltio‘s Manish Sood offers commentary on how to plan for data sovereignty in the age of AI.

Modern companies are made of data. It is their most valuable asset and their greatest resource for growth and change. It must, therefore, be protected and comply with the rules and regulations of the countries where they do business. Many governments, in particular, forbid sensitive citizen or business data from residing on systems outside of their legal and regulatory controls, including: 

  • European Union (EU) – General Data Protection Regulation (GDPR) 
  • Canada – Canadian Consumer Privacy Protection Act (CCPPA) 
  • Australia – Privacy Act and Australian Privacy Principles (APP) 
  • China – Personal Information Protection Law (PIPL) 
  • Russia – Federal Law on Personal Data 
  • India – Personal Data Protection Bill

This is the challenge of data sovereignty.

Artificial Intelligence (AI) adds to the challenge. AI is perhaps the world’s most voracious consumer of data outside of search engines and intelligence agencies. And unlike search engines, AI will be deployed inside a business and will consume data that was previously considered off-limits by such technologies. Generative AI (GenAI) consumes data indiscriminately, and that data is often stored and processed at the AI companies’ discretion, not its users. AI services employed by many business applications will need to limit the use of this data outside the data sovereignty boundaries as required by the regulations of the specific country. 

Download Link to Data Management Buyers Guide

Data Sovereignty in the Age of AI

AI’s explosive growth is colliding with both established and emerging privacy and data sovereignty regulations globally, such as GDPR and CCPPA. Businesses must both attend to these policies and balance them with the ongoing business imperative to compete by using the latest data technologies available. Few businesses (if any) would voluntarily keep their data in a single regulatory domain to make the most of available tools. In reality, most multinational businesses have data residency strategies to store and use data in multiple countries and regions to serve customers and employees better. Physically locating information in different locales means it might become subject to different data protection laws, however. 

Fortunately, competitive and regulatory balance is achievable for organizations with the right blend of mindset, policy, and tools. Here are five things you must consider to protect data sovereignty as your organization integrates AI: 

  1. Mindset. Ensure data sovereignty issues are front and center throughout the company. Everyone who creates systems that use or modify data must understand the fundamentals of data sovereignty, which means understanding the business risk of not following policy. Educating employees about data sovereignty should not be a heavy lift. 
  1. Inventory. Data grows as businesses expand, and as it grows, it fragments and ends up in silos. According to Salesforce, the average enterprise now has 1,061 different applications, although only one-third of them are connected. Moreover, Salesforce also discovered that it typically takes 35 applications to support a single customer interaction. 

You must know your data. Once employees understand the importance of data sovereignty, the organization can create and maintain an inventory of the company’s data. In addition to knowing what is in the data, organizations must be aware of the vendors that act on your data. 

  1. Internal Policies and Governance. Be fluent in regional data residency laws and comply with them. The company’s governance team must understand what is in the data, its structure, and what vendors it uses to process it. To protect the company from data sovereignty challenges, you must have systems to manage anonymization and pseudonymization when partnering with other companies that process data.  
  1. Vendor Dialogs. Enforce vendor compliance. The governance team must work with external vendors to ensure they have specific provisions that comply with the company’s policies. As data sovereignty regulations expand, vendors must deliver the data services in compliance with the regulatory frameworks of the regions where the business operates. 
  1. Data Unification Technologies using AI

You need clean, connected, trusted data to ensure data sovereignty compliance. Today’s tools, such as modern technologies, leverage AI/ML capabilities to speed up and enhance data unification to ensure your data is internally consistent. Data unification tools can work more expansively and faster than a manual process. 

Today’s modern master data management (MDM) tools also leverage AI to detect data leakage – when data leaves or is at risk of leaving the borders that policy constrains it to.  Modern MDM also has the ability to trace the entire lineage of data – sources the data came from, who contributed changes to it (a particular system or user), who consumed it, and when these actions were taken as the level of visibility we provide. Provenance is an important capability for managing data products. AI-powered MDM tools can use pattern recognition to spot when a business is leaking personally identifiable information (PII) or other information that needs to be kept within borders.  

Example: Healthcare 

Healthcare systems face some of the most restrictive privacy and sovereignty policies. Many of today’s healthcare management systems show that it is possible to have flexible and robust data management systems that remain compliant if the systems are designed with data management policies from the outset. 

For example, in a healthcare system, each customer (patient) can get a client ID kept locally; any system that needs to attach data to a patient uses only that ID. When data is processed, for billing or analytics or other reasons, the PII stays put; only the necessary information is transmitted. 

Don’t Sacrifice Speed, Agility, or Geography 

With the right tools and technology partner, a company does not have to slow down to ensure compliance with its own or governmental policies. Instead, the correct tools, approach, and mindset let companies act quickly and seamlessly on emerging issues, such as flagging pop-up data programs that are against policy before they become entrenched – and while the team is still active on the project and can modify it for compliance. Data sovereignty regulations vary by country, and they can be incredibly detailed and complex—spanning data privacy, data localization, data residency, and more. Working with a partner that can manage data in compliance with local privacy regulations around the globe – from Asia-Pacific to North America to Europe is essential for every global organization today. 

Download Link to Data Management Vendor Map

Share This

Related Posts