Skip to main content

Beyond legal #15: Data sovereignty and absolutism

·8 mins
Beyond Legal Data Sovereignty AI Infrastructure Sovereignty Cross-Border Transfers Vendor Management Horizon Scanning

Why absolutism fails unless the business is absolutist too — and what to do instead.

Data sovereignty and absolutism

In light of geopolitical events that have had a huge impact to many companies in recent years, especially 2025, I’m hearing these phrases in some data protection circles:

  • “We need sovereign data.”

  • “We can’t use any US vendors.”

  • “No US sub-processors.”

  • “Localise everything.”

  • “What are the EU alternatives.”

…or similar words or phrases. It sounds decisive, but it also sounds a little bit like the old pattern I’ve been trying to move beyond in this series: theatre - lots of bold statements, documents and controls on paper and in theory, but very little operational capability when reality hits.

Data sovereignty is real. AI infrastructure sovereignty is real. Tightening rules are real. But the absolutist response - blanket bans and black-and-white policies, often fails to reflect the reality that an absolutist sovereignty stance only works if the business is absolutist too.

Absolutism is relatively easy on a personal level - I do try to practice this myself in the tech choices I make. I can decide not to use a specific platform, accept the inconvenience, and move on.

At a corporate level, absolutism is an operating model redesign. It touches everything:

  • market access and customer commitments

  • product roadmap and delivery speed

  • cost base, resilience, and talent

  • vendor ecosystem, security tooling, AI capabilities

  • support models, incident response, and audit evidence

If the business strategy remains “global scale, fast delivery, best-in-class tooling, predictable cost”, and the data and technology strategy becomes “sovereignty at all costs”, your entire business is at risk. You’ll soon be dealing with:

  • exceptions,

  • workarounds,

  • shadow tooling,

  • and a fragmented architecture that increases risk through complexity.

Data sovereignty used to be discussed as a legal constraint: “where is the data stored?” That framing is now too small.

What’s happening instead is a strategic re-architecture of digital markets driven by three connected trends. I outlined the broader landscape (and the trends radar diagram below) in a recent blog post:

  • Data sovereignty & fragmented digital markets Geography is becoming a design constraint. Digital markets are fragmenting into regional blocs with different rules and expectations. “Borderless” is no longer the default operating assumption.

  • AI infrastructure as strategic sovereignty AI infrastructure choices - cloud region, data centre location, chip/GPU dependency, managed AI services - have moved from “technical optimisation” into the realm of:

sovereignty and national security expectations

  • resilience and outage tolerance

  • supply chain risk (including export controls and chip concentration)

  • ESG and energy footprint scrutiny

In other words: your infrastructure strategy is now a geopolitical and resilience strategy.

  • Tightening data sovereignty rules More localisation mandates, more restrictions, more overlap between data protection and privacy, national security, and AI governance. Compliance is harder, and enforcement is more serious.

The response to these trends is not a ban list. The response is a capability.

Try this: The sovereignty alignment test

If you want to adopt an absolutist sovereignty approach (e.g. “no US sub-processors, ever”), run this test first:

Is my company also willing to adopt the business posture that comes with it?

  • Market: Are we willing to lose deals/markets where sovereignty isn’t achievable today?

  • Cost: Are we willing to pay for duplicated regional stacks and assurance overhead?

  • Product: Are we willing to accept slower delivery and regional feature divergence?

  • Vendors: Are we willing to reduce our choice of tools - especially for AI, security, and observability - until local alternatives emerge or mature?

  • Resilience: Are we ready for the complexity risk created by fragmentation (more moving parts = more failure modes)?

  • Talent: Can we staff, operate, and secure multiple regional architectures properly?

  • Roadmap: Do we accept this as a multi-year transformation rather than a policy announcement?

If your leadership can’t say “yes” to those trade-offs, an absolutist sovereignty policy is not a strategy. It’s a future exception register.

And exceptions are not free. They become risk debt, often undocumented, usually poorly governed, and guaranteed to resurface when you least want them to, e.g. during an incident, or audit to name a couple of examples.

“Risk-based approach” does not mean eliminate all risk

A risk-based approach is frequently misunderstood in sovereignty conversations. It does not mean:

  • “remove all risks at any cost”

  • “choose the most restrictive option by default”

  • “treat any transfer or US linkage as automatically unacceptable”

It means:

  • identify risks in context,

  • implement appropriate controls (technical, organisational, legal),

  • accept and manage residual risk consciously,

  • document decisions and review them as things change.

An absolutist approach can have severe business impact: cost overruns, reduced capability, delivery delays, and ironically, a weaker security posture because the architecture becomes fragmented and harder to operate safely.

If you want a visual reminder that risk behaves like a system, where decisions create ripple effects and feedback loops, this is exactly why I built my causal loop diagram:

Causal Loop Diagram of data protection risk

See this recent blogpost that explains the diagram.

Sovereignty without the drama

Below is my suggested and pragmatic approach. In line with everything I’ve said in this ‘beyond legal’ blogpost series, it’s intentionally cross-functional: CISO/CTO/CPO, plus procurement, architecture, engineering, data governance, and risk.

Step 1: Know your data (what personal data is involved, if any?)

Before debating processors, sub-processors or regions, map:

  • what personal data exists and where

  • sensitivity (special category, children, location, biometrics, etc.)

  • purpose and value-chain dependency

  • overlooked personal data: logs, identifiers, telemetry, analytics events

  • if AI is involved: training data, fine-tuning data, prompts/outputs, RAG datasets, evaluation datasets

If you have a RoPA or an expanded data map and it’s all up-to-date, this will help facilitate this step.

Outcome: sovereignty conversations become data-class specific, not ideology-driven.

Step 2: Make yourself aware of the legal requirements

Based on the data you’re processing, you need clarity on:

  • which jurisdictions apply (data subjects, entities, processing locations)

  • sector rules (finance, health, telecoms, public sector procurement)

  • what is hard localisation vs “allowed with safeguards”

  • AI-specific obligations where relevant (model lifecycle constraints, transparency, logging)

Outcome: you begin treating sovereignty as a documented set of constraints.

Step 3: Quantify data volumes and data subjects

  • how much data (and growth rate)?

  • categories of, and volumes of data subjects?

  • what is the concentration (one dataset vs. spread across systems)?

  • what’s the worst-case exposure scenario?

Outcome: you can prioritise. Not everything needs the same approach.

Step 4: Assess controls already in place (technical, organisational, legal)

Sovereignty is not only where the infrastructure sits. Controls often matter more:

Technical

  • encryption in transit/at rest

  • key management model (and who holds keys)

  • segmentation and tenant isolation

  • access governance (PAM/JIT/MFA/least privilege)

  • monitoring, logging, anomaly detection

  • tokenisation/pseudonymisation

  • backup and DR geography controls

  • restricting admin/support access paths where feasible

Organisational

  • ownership and stewardship

  • change control for data flows and AI model lifecycle

  • incident response readiness across regions

  • supplier monitoring discipline

Legal

  • DPAs and R&Rs

  • sub-processor transparency and approval workflow

  • audit/assurance rights and evidence expectations

  • cross-border transfer mechanisms where relevant

Outcome: you discover where risk can be reduced without knee-jerk bans.

Step 5: Nature of business and value chain information needs

This really is the ‘beyond legal’ heart of sovereignty. Ask:

  • what information must flow for fraud, security operations, support, analytics, product improvement?

  • where will localisation break core workflows?

  • what is the commercial reality (public sector, regulated customers, procurement gates)?

Outcome: sovereignty posture becomes aligned with business strategy, not clashing with it.

Step 6: Choose your approach(es)

A practical way to avoid absolutism is to define one or more sovereignty approaches by data class and workload (for example):

  • “Sovereign-by-necessity” Highly regulated/high-risk datasets and workloads. Localise and ring-fence with strong assurance.

  • “Multi-sovereign modular” Regional data planes with governed cross-region capabilities (such privacy-preserving patterns, minimisation, aggregation). This is where some multinationals end up.

  • “Global with controls” Low-risk datasets/workloads where global processing is acceptable with safeguards and documented residual risk.

Outcome: you stop trying to force one rule onto all processing and start designing for reality.

Please note that Sovereign‑by‑necessity, multi-sovereign modular and global with controls are not formal legal categories.

US sub-processors are not automatically a show-stopper

“AWS or Google anywhere in the chain = stop.”

A US-based processor or sub-processor may increase certain risks (including government access considerations). But it is not automatically a decisive conclusion without understanding:

  • what data is involved (and sensitivity)

  • what the sub-processor actually does, i.e. the actual processing services it provides to you. And this is where I see too much alarmism. Just because a controller or processor lists a US vendor in their privacy policy, it requires deep understanding in your unique business context

  • what access paths exist (including support)

  • what safeguards exist (encryption, key control, segmentation)

  • what residual risk remains, and whether it is acceptable for this dataset and business purpose

Sometimes the answer will be: localise. Sometimes the answer will be: proceed with strong safeguards and documented residual risk.

Either can be defensible. The indefensible position is making the decision before understanding the data and the controls.

Closing: build sovereignty capability

The ‘beyond legal’ lesson here is simple:

  • Sovereignty is governance (board-level direction and risk appetite).

  • Sovereignty is architecture (modular, multi-region, control-rich).

  • Sovereignty is business strategy alignment (markets, cost, capability trade-offs)

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts