Skip to content
All Posts

Publication Date

Data Management: Sovereignty or Independence?

,

In information technology, as in many other business fields, we are often influenced by emerging trends filled with promises. Innovations that disrupt the established order, where the benefits far outweigh the risks. And most decision-makers, rightly so, will eventually make the shift.

Data sovereignty is now becoming a central issue for companies wishing to maintain their independence and ensure the confidentiality of sensitive information. In this context, the choice to keep data in-house, opt for compliant cloud solutions, or build a hybrid infrastructure is strategic. More than a trend, this approach to sovereignty reflects a move towards protecting data while fostering the long-term resilience and security of organizations.

The impacts of legislation

Before Bill 25 in Quebec, the European Union and the European Economic Area had their 27 member states adopt the GDPR (General Data Protection Regulation). This legislation had a major impact on the cloud technology industry, leading to several structural changes for businesses. Overall, these regulations pushed companies to go further in their data protection efforts, even though they posed significant challenges. Quebec companies are now facing these same challenges.

Data Sovereignty 101

Data sovereignty refers to the control and jurisdiction that a country or province has over the data that is generated, stored, or processed on its territory. It mainly aims to protect the privacy of citizens, but above all, to ensure national security and protect intellectual property by limiting access to sensitive data to foreign entities.

In Quebec, the concept of data sovereignty remains largely theoretical and is difficult to achieve for three main reasons:

The majority of service and equipment providers, such as networks, servers, and hard drives are located and designed abroad;

The software used to manage, analyze, and secure data is also mostly developed by international companies;

The major cloud providers (Microsoft, AWS, etc.) and even the vast majority of data center owners are American and subject to the Cloud Act, even if their infrastructures are located in Canada.

So, how can one ensure the confidentiality of their data and maintain complete control over access, when even the building owner represents a risk factor?

Not everyone who claims sovereignty truly possesses it, be aware of this.

Leaving the cloud and reclaiming independence?

As organizations can practically not circumvent the first two constraints, many decide to repatriate their infrastructures and data internally. By doing so, they minimize the risks of their sensitive information becoming accessible to foreign governments.

Other organizations, particularly those operating in sensitive sectors such as finance, health, and government, will also do so to better meet compliance and regulatory requirements specific to their fields.

Can sovereignty and independence be achieved?

The preferred option will depend on the specific needs of the business, regulatory requirements, the nature of the data, and risk tolerance. An analysis with professionals, such as those at ITI, will allow you to make an informed decision.

However, regardless of your chosen path, you must ensure the security and confidentiality of the data while striving to respect the principles of data sovereignty as much as possible, despite the constraints:

  • Start by evaluating and classifying your data based on its sensitivity and criticality. Identify the data that requires enhanced protection measures and that you should consider keeping internally.
  • Companies must comply with data protection and privacy laws. In Quebec, we immediately think of Bill 25. One should not overlook PIPEDA and the federal Bill C-27, which complement it.
  • Select cloud service providers and data centers that comply with standards. Ensure that they truly meet sovereignty requirements.
  • Control your access rigorously to limit it to employees who need it to perform their tasks. Use multi-factor authentication (MFA) to enhance security.
  • Adopt encryption technologies to protect data both in transit and at rest, making it unreadable for unauthorized persons.
  • Implement monitoring and auditing systems, such as Security Information and Event Management (SIEM) solutions, to quickly detect and respond to security incidents.
  • Continuously train your employees on best practices for data security, legislation, and company policies.
  • Ensure that your service agreements with providers include data protection clauses and regularly reassess their practices.

The choice between a 100% cloud-based infrastructure, internal physical infrastructure, or even a hybrid one goes far beyond data sovereignty, because in reality, it is not 100% attainable.

Étienne-Hughes Fortin

Étienne-Hughes Fortin

Senior Technology Advisor, Public Sector

Even though data sovereignty is a legitimate goal, it should not become a barrier to innovation and competitiveness. Too many restrictions in the choice of infrastructure and providers can limit access to the best technologies, particularly in artificial intelligence, cybersecurity, and advanced analytics. In a context where data exploitation is an increasingly strategic lever, it is essential to adopt a balanced approach by protecting information without confining the company to a too-rigid framework. By favoring solutions that ensure compliance, security, and performance, organizations can grow and remain at the forefront, rather than being confined to a sovereignty that, in fact, is illusory.

pop up newsletter

Newsletter

Subscribe and get an e-book on technological challenges and IT solutions.