When is ‘sovereign’ truly sovereign?

Sovereignty - the full control over where data is physically hosted - is key here. But while it's natural to assume this is simply a question of which country a data centre is based in, the highly interconnected nature of modern supply chains, and the ever-growing complexity of the compliance landscape means we must reconsider what we really mean by 'sovereign', especially when it comes to the data that powers the UK's public services.

Firstly, let's rethink the longstanding definition of data sovereignty, which typically focuses on geographical location. While organisations' own data centres and those of their Cloud partners may be located in the UK, data is constantly on the move. Although the servers themselves may well fulfil sovereignty requirements, few Cloud providers can fully guarantee the sovereignty of the data itself. Indeed, in 2024 it was revealed that Microsoft were forced to admit that they could not guarantee the data sovereignty of the near-ubiquitous M365, and could only do so for 'data at rest' with the increasingly popular Azure platform¹ in response to Scottish Policing Authority's request for clarification around how policing data hosted on its public Cloud architecture would be managed and whether it would remain in the UK.

All this is in spite of the Data Protection Act 2018, which places firm restrictions on the transfer of policing data to overseas locations².

The seemingly obvious answer is to simply maintain self-owned private Clouds in on-premises servers, but much legacy infrastructure is unable to accommodate the growing volumes of data generated, stored, and transferred on a daily basis, and many organisations have come to depend on public Cloud platforms, such as Microsoft Azure, Office 365, and Amazon Web Services - as part of their day-to-day operations.

Put simply, these platforms have simply not been designed to handle data with the highest security classifications, particularly when it comes to guaranteeing its true sovereignty. This situation is compounded by the fact that many of these hyperscalers may be subject to regulations outside the UK, such as the US' Patriot Act, that can lead to them being subpoenaed to provide those governments with access to the data stored on their platforms.

It is clear then that the Defence sector as a whole must reconsider its relationship with its technology partners and supply chain, adopting a holistic view of data sovereignty that not only considers where it is hosted, but also how it is managed, transferred, and secured. We must therefore consider how the advantages of the Cloud platforms in terms of flexibility, scalability, and cost control can coexist with the most rigorous standards of security and full compliance with all applicable regulations.

It is for this reason that the Exponential-e Group continues to maintain our position as a solely UK-focused technology provider. We are an active presence in Crown Hosting's ARK data centres, with our own security-cleared specialists managing Cloud infrastructure for organisations across some of the most highly regulated sectors. We also maintain our own enterprise-class network, allowing us to provide highly secure Cloud environments and defence organisations' own premises, with our evolving cyber security ecosystem overlaying it all. Altogether, this allows us to take an end-to-end view of our customers' data sovereignty, utilising our full solution portfolio to ensure the seamless flows of data that modern Defence operations depend on do not in any way compromise our national security.

The Defence sector's relationship with its data has changed forever, and while we are still in the early days of this journey, the Exponential-e Group will continue to offer our support, working closely with organisations across the sector to establish a new standard of best practice around data sovereignty and the underlying digital foundation needed to execute it. Since 2024, we have placed significant focus on our engagement and working relationships with our Defence and national security customers, both directly and indirectly through partnerships with Defence Primes and other organisations - and also working with other organisations who provide platforms and services to the sector, providing them with the means to offer an ironclad guarantee of data's sovereignty.

If you're in any way concerned about how your data is hosted, transferred, and managed, let's schedule a conversation.