“The idea that you own your data is, at best, a fantasy. You have rights over your data, but ownership is a legal construct that doesn’t fit the fluidity of information.”
– Evgeny Morozov (Writer and researcher on technology, skeptical of traditional ownership models for data)
A few months back, a serious incident exposed just how fragile it can be for businesses that depend on cloud-based productivity tools. A company that had been using the same service for over ten years suddenly found its subscription cancelled. The reason? An alleged policy violation. There was no prior warning, no detailed explanation—just a complete shutdown.
Overnight, access to all their business-critical data vanished, throwing their operations into chaos. Despite paying regularly and on time, they had no legal recourse to retrieve their data. Instead, they were left entirely at the mercy of the cloud provider’s discretion.
This situation raises a critical question: Even if a user breaks a policy, shouldn’t they still have an undeniable right to access and recover their own data?
In the last more than 10,000 years of documented history of human civilization, with few exceptions, every region, empire and community have faced conflicts. It’s just that the reason for conflict has been changing. With the advent of digital technology, the 21st century has just added to the dimension. In the last 20 years, data presents itself as the new ‘oil’ which can cause conflicts and wars. We already saw the power of data in defining our destiny through the case of Cambridge Analytica.
The General Data Protection Regulation (GDPR) enacted in 2016 by the European Union was the first major law that brought some awareness, at least in India, about the need to not just protect data but also own and control it. Unfortunately, in India, we are still at a very nascent stage of understanding even the importance of Data Protection. Hopefully the DPDP act should compel us to understand & act.
But why this need of Data Ownership and Data Sovereignty ? Since the olden days, every organsation had its own IT infrastructure. The applications, even public facing, would sit and run on the on-premise infrastructure or max at a co-location facility. In either case, the infrastructure, the applications and more importantly the data is owned, accessed, managed and controlled by the organisation itself. In the second decade of this century, the public cloud started gaining prominence with the promise of lower Infrastructure costs particularly the capex. With its flexibility and elasticity, ability to control opex and quick scalability due to managed services, cloud deployments appealed to IT decision makers. Many organisations moved their workloads, particularly data, to the cloud. Public cloud vendors invested in Gigascale datacentres linked with high-speed optical fibre cables and a sophisticated abstraction with a complex UI/UX layer allowing multiple customers to use and share the same infrastructure. In simple terms, we are renting a subset of a large IT infrastructure and pay for what we use. All that is needed is to just login and spawn a virtual machine or any resource of desired configuration and pay the monthly consumption bill. Very much like hiring an Ola or an Uber.
This sounds very interesting but the reality hits when there are large monthly bills caused by egress (charges incurred when data is accessed or downloaded) and a large dataset which binds you to the vendor. If, god forbid, there is an issue with subscription, even access to your own data is blocked. Your own data lying in someone else’s hardware and in their own location.! This raises a question – Who owns your data on cloud ?
In theory you own the data but due to lack of clear laws, customers in India are at the mercy of the hyperscalers. As we wait for the final implementation of GDPR, whose final provisions are yet to be notified and evaluated, we need to carry our responsibility to ensure we do not lose access to our own data.
First and foremost, it is important that our data is profiled, stored and protected with regular backup & DR drills. If the volume of data is large, applications need to be designed in a way that allows access to data from on-premise locations. This can be achieved through better data caching mechanisms. Mission-critical and confidential data should be encrypted by our own generated and self-managed cryptography keys. The thumb rule of data protection works on 321 rule. Every critical data should have 3 copies at 2 different locations with 1 copy off-site preferably in a de-militarized zone. At the bare minimum, data storage should be hybrid – multi-cloud or across cloud and on-premise. We also need to understand that the cloud is not infallible. There are enough incidents where public clouds have accidentally deleted or lost customer data. Hence 100% reliance on the cloud for your data storage needs is detrimental.
The world of technology just revolves around two things – logic and memory. Logic resides in applications. Even the much touted artificial intelligence is implemented through applications. Memory is the data. Applications do not store data, they simply consume data Hence applications can be moved across the infrastructure at the click of a button. Data is the bulk and moving and migration of data is a very herculean task. A Veeam study states more than 90% of organisations have lost access to their data in the last few years. While those organisations might have stored it, it was your and my data. We cannot, as a nation, be complacent and careless. After all, it is not just the territory that makes our nation. Data also does. Let’s protect, secure and OWN it.