Q&A: How to manage data sovereignty at the state level

A lot is made of how data sovereignty applies to managing information from country to country—the back and forth between the US and the EU over the latter’s General Data Protection Regulation (GDPR) shows the intensity of the topic.

Making sure that competing laws are reconciled between countries is a challenge. But as John Wills, field CTO at data management company Alation, recently told IT Brew, in the US it can even vary state to state.

Data privacy has been of growing concern to state and federal lawmakers, leading to the development of varying degrees of regulation depending on location. Sorting that out can be difficult for teams looking to ensure they fulfill all relevant data management needs.

Wills told IT Brew that the landscape is evolving quickly, and that the traditional leader on progressive legislation, California, isn’t the only state driving the conversation. Colorado, Connecticut, Utah, and Virginia all have comprehensive data privacy laws on the books.

This interview has been lightly edited and condensed.

What should IT teams consider when managing data? Should they primarily look at California and the other four states with privacy laws?

The dirty little secret is that there’s already been this massive explosion of laws and regulations. And if you’re an enterprise—and of course the larger you are, and the more that you cross jurisdictions, the more complex it is—you already have an overwhelming tsunami of interrelated and conflicting laws you need to abide by. It’s very, very confusing, and very difficult to handle.

The risk is over-rotating just on California versus national, because you [have to] look at all of the other states. There are 23 states with inactive bills, but they could be reactivated in committee. There are a handful of others, I think five, that are actually sending bills through the committee right now, so they’re active.

The big challenge in the space is for an enterprise, the going concern, to say, “Huh, do I have to sit down and map all of these together and figure out what the subset is and then orient my business to handle those?”

Do you think that we’re going to see more broad overview legislation in other states—even going beyond federal legislation?

I’m not sure how many, but I’m pretty certain that there will be more. It’s because partially, with Apple’s help, and Amazon and others, and what you’ve written about…have brought it to the consciousness of the public—the importance and the impact and the risk to people. We’ve all seen the headlines of really, really damaging breaches. It’s now in the consciousness of the public, which means it’s in the consciousness of our public officials. And it becomes…something the politicians want to do something about and care about.

How’s that going to affect data sovereignty state to state?

That’s yet to be seen. They’re trying to write it into the national bill, see if it all gets through markup, but states do retain their rights.

The only thing that encroaches upon that is that if a citizen in a state wants to bring a civil suit, the state’s Attorney General can look and see if they want to take that civil suit forward on behalf of the citizen. They can [also] take that at a state level.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.