On Data Protection, Data Sovereignty and Data Privacy. Interview with Paul Speciale.
“ Data silos dramatically slow down digital transformation”
Q1. Data protection, data sovereignty and data privacy: how do they relate to each other?
Paul Speciale: Data protection in its strictest sense is the best practice of protecting sensitive information from corruption or data loss. Key foci lie on privacy and confidentiality of data. The safeguarding of the data goes along with ensuring data availability as well as compliance with legal and regulatory requirements. In contrast, data sovereignty empowers countries to protect the privacy and security of data that is physically located, stored, processed, and used within their borders. Data sovereignty is part of a larger goal: digital sovereignty. Digital sovereignty provides control over digital destiny – a complete autonomy that encompasses the entire end-to-end ecosystem and infrastructure. Data privacy and data sovereignty are closely related. Data privacy is primarily focused on the control of persons over their respective data. This includes the ability to make a decision about how organizations collect, store, and use personal data. Data privacy regulations are mainly determined by data residency and provenance.
Q2. Are there any differences between data sovereignty, data residency, and data localisation?
Paul Speciale: As the name implies, data residency refers to where data is actually stored. Data residency is concerned with the exact geographical location of data. As mentioned above, data sovereignty (or data independency) has its focus on control over data based on the legal framework, the jurisdiction of the data storage and processing within a country. Whereas data localization identifies the precise geographic location of data: at its heart is the storing and processing of data in the same country where it was originally created. Namely the EU General Data Protection Regulation (GDPR) requires this.
Q3. Data sovereignty promises to break up data silos and enable the usage of data across different stakeholders that could not be shared with others so far. What is your take on this?
Paul Speciale: Data silos dramatically slow down digital transformation. However, they are no longer an obstacle if the data of an organization is to be brought together and optimized for analysis purposes. Modern cloud technology has been enhanced in a way to make such centralisation possible. Data sovereignty in the context of the cloud ensures that individuals and entities have greater visibility and thus control over their data, deciding how it is used and shared beyond the confines of silos.
Q4. What is data sovereignty in the Cloud?
Paul Speciale: Capabilities with the overall goal to ensure data sovereignty in the cloud are needed, and some cloud providers have this on their radar. However, to navigate beyond the complexity of obligations stemming from regulations, and in order to achieve true data sovereignty and data independence, a tailored approach needs to be in place that shows alternatives to relying entirely on the public cloud. Scality offers cloud-like storage that is hosted on-premise, with the same agility and standard S3 APIbut with more precise location control over data.
Q5. AI, LLM Data Privacy and Data Sovereignty: What are the challenges here?
Paul Speciale: AI is moving quickly. In the hurry to embrace AI and turn it into a part of their respective operations, enterprises need to ensure that they have critical areas on their radar, with the overall goal of not putting themselves out of compliance accidentally. Within due diligence, organizations can minimize AI’s inherent risks by addressing the right questions. Among these are: Is the cloud provider of choice suitable to help guarantee data sovereignty, or should AI Data lakes be built and managed on-premises for improved control? This can be ascertained by way of checking certificates. An additional question: where is the basic data for AI applications stored – and who is able to access, and monitor it? The role of Large Language Models (LLM) in AI is significant. Companies that are considering integrating LLMs into their workflows are well advised to include a risk analysis for their specific use cases into their strategies.
Q6. EU new regulations to protect data (NIS2 and DORA) come into effect in October 2024 (NIS2) and in January 2025 (DORA). Can you briefly explain what NIS2 and DORA stand for and what they regulate?
Paul Speciale: TheNetwork and Information Security Directive 2.0 (NIS-2) is the EU’s new, mandatory cybersecurity regulation. It will be implemented in October 2024. Organizations in certain industries (namely financial services, energy, transport, as well as digital services sectors) must proactively take appropriate cybersecurity measures. They also must instantly report significant incidents. The key goals of NIS-2 are to strengthen overall resilience to cyber-attacks, and to help improve responsiveness in the event of security issues. NIS-2 is setting requirements for risk management as well as incident reporting. DORA (Digital Operational Resilience Act), which will come into force in January 2025, aims to ensure resilience to cyber-attacks for the financial sector. It follows the guidelines of the European Banking Authority.
Q7. What are the implications of such data protection regulations in practice?
Paul Speciale: Initially, companies should check whether and how they will be affected by these new regulations. In a next step, IT teams should analyze how they can enhance their existing cyber security measures to make sure they are aligned with the new legal requirements. A central aspect for all companies affected is to implement stronger cyber-resiliency measures on their data, which can start with the deployment of immutable data storage for backups to ensure that data can be recovered in the event of a breach.
Q8. What if an organization relies on content distribution or content ingestion from a global perspective? What are the challenges an organization faces in this case?
Paul Speciale: EU organizations with requirements for cross-border data flows will face challenges due to these new data sovereignty requirements, mainly in limitations on how data is transferred. For instance, organizations handling critical infrastructure data may face restrictions on exporting data outside the EU. Solutions might require the need to set up separate EU based data centers or comply with strict mechanisms for these data transfers. This could complicate operations and lead to inefficiencies.
Q9. In your opinion, what is the best approach to store data to deal with compliance regulations?
Paul Speciale: To effectively deal with compliance regulations, especially in light of frameworks like NIS2, DORA, GDPR, and other global standards, organizations may consider adopting hybrid-cloud strategies, establishing regional data centers, implementing strong encryption (at-rest and in-transit), enforcing data retention policies and ensuring they have immutable backups and disaster recovery policies.
Q10. What is Scality’s S3 object storage and how can it help here?
Paul Speciale: Scality is at the forefront of the S3 Compatible Storage trend with multiple commercial products and open-source projects. Scality RING offers an object storage solution with a native and comprehensive S3 interface. Scality RING is the first Amazon S3-compatible object storage for enterprise applications with secure multi-tenancy, multi-level cyber-resilience, data location control with support for single and multi-geo deployments.
……………………

Paul Speciale, CMO, Scality
Paul Speciale is currently the Chief Marketing Officer at Scality. Prior to this, Paul held various leadership roles in companies such as Appcara, Amplidata, and Savvis, focusing on cloud computing and storage technologies. With a background in technology consulting and database architecture, Paul has a strong foundation in the IT industry.
Comments are closed.