• Home
    • Blog
    • GDPR Compliance by Design Through Digital Sovereignty: Where Hyperscale Cloud Providers Fall Short | Blog

GDPR Compliance by Design Through Digital Sovereignty: Where Hyperscale Cloud Providers Fall Short | Blog

Based on a GDPR benchmarking survey conducted by Deloitte, 89% of organizations have or plan to have a formal GDPR-readiness program. Furthermore, 54% of respondents noted that the potential for large fines under the GDPR made a difference in their approach.

Hyperscale cloud providers are increasingly aware of their clients’ need for GDPR compliance and are taking the necessary steps to ensure that their services can be used in accordance with the regulations. As demand for GDPR compliance grows, these providers feel a duty to ensure their clients are able to adhere to the GDPR when utilizing their cloud services.

In fact, at the end of 2022, Microsoft announced the phased rollout of the EU Data Boundary for the Microsoft Cloud, beginning January 1, 2023. This marks an important step forward in guaranteeing data security and privacy compliance in the Microsoft Cloud.

The EU Data Boundary for the Microsoft Cloud provides a cloud-based solution that allows organizations to store and process data securely within the European Union. This helps organizations who wish to implement their digital workplace on the Microsoft cloud adhere to key aspects of the GDPR and avoid costly penalties for non-compliance.

You might wonder why it took Microsoft four years to announce its cloud strategy. The answer is simple: devising such strategies requires an immense amount of effort to ensure that users of these cloud services comply with an intricate set of regulations. This complexity is also true for organizations, which must make sure that they are adhering to all relevant regulations in implementing their digital workplace.

What if, from the outset, organizations put themselves in control of their data and infrastructure, with an eye towards compliance with regulations, to prevent potential complications down the line?

Hyperscale cloud services, however, were not designed to be GDPR compliant as GDPR did not exist at the time. The business models were later altered by Microsoft to adapt to GDPR requirements. A better alternative would be to have compliance by design.

It is one thing to change business strategies – to comply with the regulations – but a completely different matter to ensure GDPR compliance is implemented by design.

What Is Compliance by Design?

To understand this better, let’s return to the example of Microsoft. Before the GDPR, Microsoft offered huge cloud services, which were the main point of interest for organizations wanting to run their digital workplace. These services allowed organizations to store and process their data more efficiently and securely, while also providing an easier way to manage and share information.

However, after the implementation of the GDPR, the company quickly realized that certain aspects of their business model were not compliant with the regulations, as the owner of the data was not in clear control of where the data was stored, how it was processed, etc. As a result, they had no choice but to come up with alternative strategies and solutions to ensure their customers’ compliance with the GDPR, in order to retain their customers.

Compliance by design, however, requires organizations to take a proactive approach to data protection and privacy compliance, rather than a reactive one. This approach requires business strategists to consider data protection and privacy compliance requirements when designing new products and services and to ensure that these requirements are met throughout the product or service lifecycle.

In the Microsoft example, the main adaptation employed is geographical. Microsoft guarantees that your data is stored within the boundaries of your country but does not give you any further authority. If you have your data, processes, and infrastructure stored in a remote location, even if it is within your country, you cannot claim full control over them.

The key concept that helps us achieve compliance by design is digital sovereignty – the notion that individuals have control over their digital identity and data. This concept enables us to create a secure, trustworthy, and transparent digital ecosystem that is compliant with data protection regulations.

What Is Digital Sovereignty?

Digital sovereignty is an organization’s right to preserve control over its digital data and infrastructure while keeping it secure and private. It is thought to be significantly broader than data sovereignty, comprising not only data but also infrastructure and the procedures, services, and technology that go with it.

The best way to understand digital sovereignty is through its 6 fundamental pillars: protection, data privacy, residency, locality, authority, and ownership. By understanding these pillars, one can gain an appreciation of the importance of digital sovereignty and its various aspects.

The privacy pillar is concerned with data and those seeking control over it. This includes a sub-pillar of protection that ensures that information is safeguarded and access is granted only when necessary. The residency pillar is concerned with data that must adhere to mobility laws and remain inside a certain geographical area. The locality pillar requires that technology remains inside the same boundaries, with nothing beyond them. Who has access to services, infrastructure, and assets is governed by the authority pillar. Finally, the legal ownership limits for those same services, infrastructure, and assets are defined by the ownership pillar.

For more information on the concept of digital sovereignty refer to 6 Pillars of Digital Sovereignty – Importance, Challenges, and How to Achieve Them.

Where Hyperscale Cloud Providers Fall Short

Organizations can achieve digital sovereignty by implementing a range of measures, such as deploying on-premises servers to deliver services domestically or utilizing private cloud systems. This will enable organizations to control their data and ensure that it is stored and processed securely, within the confines of their own infrastructure.

Such infrastructure fulfills all of the criteria for digital sovereignty, encompassing all six pillars of digital sovereignty.

As evidenced by the Microsoft EU Data Boundary for the Microsoft Cloud, it only addresses one pillar of digital sovereignty – that of residency. With some consideration, we can also say that this helps to improve the protection pillar, considering the assurance in the security levels offered by Microsoft. Although these two measures help many organizations avoid being deemed non-compliant and avoid heavy fines, they are by no means sufficient to address other aspects of digital sovereignty.

Digital sovereignty should be seen as the foundation of compliance to respect users’ privacy rights, rather than an attempt to avoid fines and penalties.

Ownership and authority are fundamental components of digital sovereignty, yet Microsoft has not yet provided a definitive solution to address these issues. It is essential that Microsoft outlines a clear plan to ensure that individuals, organizations, and governments have control over their digital assets and data. Adequate privacy of user data and the locality of infrastructure must also be taken into consideration in order to ensure the overall safety of digital systems.

For further information on the concept of digital sovereignty, please refer to our comprehensive guide on the subject: 6 Pillars of Digital Sovereignty – Importance, Challenges, and How to Achieve Them.

Compliance by design through digital sovereignty.
EU Data Boundary for the Microsoft Cloud.

Compliance by Design vs. Compliance by Adapting to Regulations

As we have previously noted, Hyperscale cloud providers were not initially designed to comply with data protection laws or any other local regulations. Therefore, they have adapted their business plan to meet the demands of their customers and comply with applicable regulations. Nonetheless, there are some drawbacks to this method. Let us quickly review them.

Service Cost

The change of business plan has some associated costs due to the necessity to review and update their strategy, which requires costly consultation and revisions. Additionally, changes to services, infrastructure, and delivery methods may be necessary to ensure compliance. Ultimately, these costs are reflected in the price of the product that the customer pays.

On the other hand, once you have designed your solution with compliance and digital sovereignty in mind, you can be sure that you will remain compliant and there is no need for extra costs, no matter how the regulations may change in the future.

Delivery Time

Besides cost, making revisions and changes to the business plan can take several months or even years to implement. These changes are often necessary due to the dynamic nature of regulations, which are constantly changing due to time and privacy requirements. For example, the General Data Protection Regulation (GDPR) was introduced in 2018, but it took Microsoft several years to announce its compliant solution.

This delay can be avoided if digital sovereignty and compliance by design are incorporated into the solution from the outset, rather than attempting to adapt to changes each time a new regulation is introduced.

Regulation Change

As previously mentioned, regulations may vary depending on privacy regulations or political motivations. There is also the potential for an extensive set of regulations to be implemented in order to better safeguard users’ personal data. However, if you have already taken steps to ensure digital sovereignty and compliance by design, these changes will not affect you.

Advantages of digital sovereignty over hyper-scale cloud providers attempting to comply with GDPR

Compliance by design
through digital sovereignty
Compliance by adapting to new regulations
through changes in the business plans
Changes in the regulations do not affect your service costChanges in the regulations affect your service cost
Changes in the regulations do not require adaptation timeChanges in the regulations require adaptation time
New regulations will not influence your future decisions.New regulations will influence your future decisions.

Zextras Carbonio is a digital workplace that is designed with digital sovereignty in mind. It not only helps organizations prepare for a successful digital transformation but also ensures compliance by design.

Protecting Mail Server from Overloads Using Postscreen in Carbonio Community Edition | Carbonio CE
Creating a Digital Workplace: Required Software Solutions and Their Challenges | Blog