Susan Morrow

Susan Morrow has worked for over 20 years in the cybersecurity and digital identity space. She currently holds the position of Head of R&D at identity data specialists, Avoco Secure, based in the UK. Data sovereignty is one of Susan's specialisms, and we took the opportunity to ask her some key questions before she joins us at the Data Sharing Days in The Hague (27 & 28 January 2020). #DSDTheHague

What is 'data sovereignty', and why is it so important?

"Data sovereignty is a broad concept which covers the control of an individual's personal data and identity. This was largely centralised within state entities until we moved into the digital age, when large international corporations began to increase their 'stewardship' of personal data.

Recently we've seen individuals increasingly recognising the importance of their personal data. And high-profile cyber attacks have heightened awareness of the vulnerability of centralised data siloes. So momentum is now growing behind a movement to give individuals greater control over their personal data.

As a result, a new 'data sovereignty spectrum' is emerging between two philosophical extremes:

  1. Centralised state and corporate sovereignty
  2. 'Self-sovereignty' – whereby individuals retain sole control over how their personal data is used

We're now at an important crossroads, and our decisions will set the direction for years to come. If we stay on the road of centralisation, individuals could be denied reasonable control of their own data. But if we travel too far towards self-sovereignty, the potential benefits of sharing personal data could be denied to organisations and their customers.

If companies get this right, they will build trusted and flexible relationships with customers which will deliver long-term benefits. If they get it wrong, they will lose customer confidence, forfeit the right to use personal data creatively to deliver new value, and suffer severe reputational damage. So it's vital that we take the right path now."

How can organisations create new value by implementing the right data sovereignty strategy?

"The sweet-spot lies in the middle of the data sovereignty spectrum. A hybrid concept of 'decoupled data' – between centralisation and self-sovereignty – will allow all players to enjoy new benefits. We need to find a sensible compromise between strict individual control of data, and enabling organisations to use data for appropriate purposes to created shared value. And the only way to achieve this is by creating trust.

I've spent a lot of time looking at how we can replicate human interactions within the digital world. And building trust within the digital environment is essential to driving benefits for organisations and their customers.

This means we need to create a system which involves all players in the eco-system economy. Customers need to feel secure, in control and rewarded for allowing organisations to use their data. And in return, companies will be enabled to use personal data to create new business opportunities.

This requires new types of structures to manage data sovereignty. A 'soft infrastructure' – a uniform set of agreements covering how data is shared, who is authorised to access or process which data, and under which conditions the data may be used – will bring together all the various social, legal and technical components to establish the trusted relationship between organisations and customers.

Underpinning this soft infrastructure will be a technical 'orchestration layer' – a middle layer for the cloud – which facilitates access, sharing and control of data between different players in the ecosystem. The average user has 150 different online accounts; we need a standards-based system to connect these accounts in ways which are practical, manageable and reliable for customers. A decoupled data system, which pulls in data from multiple sources as and when needed, is the best way to achieve this.

This new soft infrastructure also needs to be flexible and responsive. The digital world is dynamic, and new factors will mean that trust can both increase and decrease over time. The ecosystem will be fluid, data will be used for new purposes, and we need to make sure the infrastructure remains appropriate and trustworthy. 

Only by working together – openly, flexibly and with trust – can we make this work for everyone."

How should organisations start building an effective data sovereignty strategy? 

"This isn't an easy journey but it is a necessary one. I advise companies to focus on several important factors:

  1. Think carefully about what you want to achieve, and what data you need to collect. Be prepared to think in different ways to previously. Don't be prescriptive in thinking how to get the data you need, and don't close off routes on day one. Allow customers to build their digital identities over time. 
  2. Fully understand all the demographics you intend to cover, including those around the edges such as customers with health and accessibility issues. Make sure that all users, irrespective of their demographic, can use your system.
  3. Build trust within your ecosystem. Trust cannot be built overnight; allow it to develop naturally and create deep relationships with your customers and other players. Always focus on ways to maintain and grow this trust over the long-term.
  4. Use the right technologies, and understand exactly what is available. You will need to interact with many different systems across the data sovereignty spectrum – from centralised to self-sovereign – so make sure your soft infrastructure is underpinned by the right technical solutions.  
  5. Build a multidisciplinary team which will bring a mixture of perspectives as you create your strategy. The data sovereignty question has many different angles – social, legal and technical – so make sure you have the right people in the room. 
  6. Always be transparent and honest with your customers about how and why you want to use their data. Always use data for appropriate purposes. Engage with customers but don't 'bribe' them with rewards – it's very easy to 'cross the line' when you commoditise data. You will quickly lose trust if you get this wrong.
  7. Build constant review phases into your soft infrastructure strategy, and be prepared to make iterative changes as the landscape evolves."

Susan, how do you personally see the future of data sovereignty? 

"There is definitely a clear movement towards the development of the soft infrastructure – underpinned by the technical layer of orchestration – to give the customer greater control and choice.

The key is designing how to orchestrate the flow of data, and that means understanding how we collaborate with all the different players and technologies in the ecosystem.

All the pieces of the jigsaw already exist. Our task is to connect them up in an intelligent and non-prescriptive way. And that requires a system which is symbiotic, highly adaptive, and capable of touching an organisation's entire customer base.

And it takes more than technology to achieve that; we need a multi-faceted soft infrastructure in which all the players in the ecosystem are motivated to collaborate.

To sum up, data sovereignty is a complex area. But if we accept that it's a spectrum and not binary, and we develop it in the right way, it will be an enabling force for future digital transactions."  

 

To discuss Susan's thoughts and experiences on data sovereignty in more detail, come and meet her at the Data Sharing Days 2020 where she will be delivering a Breakout Session on Tuesday 28 January. #DSDTheHague