In a debate during Arendalsuka the largest political gathering in Norway held annually since 2012, we contemplated the topic together with DigDir and Advokatfirmaet Schjødt.
The right cloud for the right data has, therefore, never been more critical. It is important to protect sensitive data, but at the same time to allow data sharing in a secured network. Digital sovereignty is a key concept in this respect.
Digital sovereignty is necessary to secure and protect our digital assets. In practice, it is about access to data, where it is located, where it moves, and who has the jurisdictional control. These are critical questions for a modern data economy.
In a debate during Arendalsuka, Knut Karper-Bjørgaas (Department Director of Digital Strategy and Communication, Directorate of Digitalisation), Øyvind Eidissen, (Partner and Lawyer, the law firm Schjødt), and Wenche Karlstad (Head of Strategic Differentiation Programs, Tietoevry Connect) highlighted the issue. The debaters emphasized the importance of guarding the data as individuals, companies, social institutions, and Norway as a nation.
Øyvind Eidissen at Schjødt Law firm also believes that the core concept is to have control over storage and access to our own data, whether it concerns personal data or other proprietary data. According to his experience, the most significant challenges related to digital sovereignty result from a complex legal landscape and rapid technological development that constantly complicate current legal guidelines.
What does GDPR, the Cloud Act, the Schrems II judgment and other regulations mean for Norwegian businesses and the public sector's choice of cloud solutions? And how should one deal with the different regulations? These are two of the most central questions.
The impression Wenche is left with after the event is that awareness around digital sovereignty is increasing. But it is complicated and time-consuming to keep up to date. It is, therefore, essential that both the industry and the authorities contribute with clear guidelines, and with concrete advice based on the applicable framework. This would be an effort about distinguishing between types of data, for instance critical and open industrial data, and finding concrete solutions for the right purpose and the right cloud storage.
Karlstad and Eidissen believe that an action is needed to reduce the competence gap between large and small players. Eidissen believes that demands for specialist expertise, in complex legal and technical issues, require resources that are difficult for smaller businesses to possess themselves. This naturally means that the need for external assistance will increase.
In this respect, it is encouraging that several public agencies have recently taken the initiative to establish guides for various user groups on behalf of the government, for example, the Norwegian Digitalisation Agency initiated work with a guide for good practice following the EU Court of Justice's Schrems II decision.
The uncertainty surrounding changing rules is entirely natural. Not only are the EU regulations changing, but also the Nordic countries have a different approach. The EU is taking necessary regulatory measures on the other hand, to protect us in Norway as a result of EEA membership.
By the end of the year, there will be an updated Privacy Shield from the European Commission. The EU organization ENISA is working on specifying requirements for different degrees of sovereignty for cloud services which can be clarifying for the industry, organizations, and businesses.
The principles of sovereignty will affect everyone who stores data in the cloud, which primarily has consequences for those who need to handle data at a high level of security.
The major American cloud providers still want to deliver their services in Europe. For example, this summer, Microsoft announced that they will offer solutions in line with stricter European regulations. This means that not only their data centers will be in Europe, but also, they must operate with support functions in Europe to meet new requirements for sovereignty, within their partner programs.
So, which steps are most important for Norwegian businesses to take to ensure digital sovereignty develops in the future? Eidissen encourages the acquisition of the necessary expertise to provide the proper framework for the assessments of individual businesses.
Don't be too cautious about the opportunities to think innovatively and adopt desired solutions. In most cases, there are promising solutions, and the possibilities are far more than many think. But the right expertise is needed when making solid risk assessments.
Wenche supports that in Norway, we generally have a high level of maturity and great innovative force in digitalising services for citizens and society. The competence is also good compared to many other countries. The challenge is that small and medium-sized players must have the same conditions as the large ones. It is mainly about providing incentives to promote innovation and growth as well as facilitating the sharing of protected data in a trust-based infrastructure.
If you want to share data, including health data, you must be sure that the technical systems ensure that such data does not go astray. Data is a resource that can and should be shared assuming that you do it right. And we must take advantage of the opportunities it provides, such as adopting new smart technology.
In a time where cyber-attacks are increasing, and new opportunities can also create new pitfalls - are Norwegian companies running greater risks than they did before? Or are they, on the contrary, better prepared?
Eidissen believes that in some areas there is probably no getting away from the fact that the risk, both in terms of regulations and actions, is greater today than in the past. Big data, increased data traffic across national borders, increased international intelligence activities and the GDPR's sanctioning regime are keywords that most people will be familiar with. In addition to this, there is security policy unrest in the world community now.
At the same time, this is not black and white, as many businesses are better equipped than ever to make correct risk assessments and make well-considered choices that can enable continued innovation and development.
In a survey by IDC, almost two out of three decision-makers in regulated industries say that it is essential to have cloud solutions that provide full control and authority over data.
We must be able to trust that the rules are so good that you must not give other countries' authorities access to sensitive data and that you classify data in a way that ensures the necessary control. The awareness surrounding the choice of cloud solutions in a multi-cloud landscape is crucial in this respect. It is ultimately about taking ownership of the value of data and our businesses, says Karlstad.
Wenche is passionate about creating value for our customers and enabling growth with attractive service offerings. She has near twenty years of experience in the IT business with different roles within management and advisory, bringing new services to the market.
In her current role as Head of Strategic Differentiation Programs at Tietoevry Connect, she is leading a global team of experts and managers.