Do you still trust or are you already digitally sovereign? Admittedly, this is of course an exaggeration, but how would you answer the question in principle for yourself, for your company or organisation? In our corona-related everyday working life we meet mainly in virtual space. We act digitally and use tools of which we often have only a vague idea what their providers do with our data. This means that we trust these providers. But are they trustworthy? Normally we measure products by their security and pay attention to certificates, labels and security standards when making purchasing decisions. However, this seems to be less important to us so far with virtual products.
The virtual fingerprint
There is basically nothing wrong with meeting someone with trust in the first place; on the contrary, on a human level this is even very desirable. In virtual space, however, we do not meet real people – even if it may look like this, for example via video conference: our collegue in the chat is not real, but a two-dimensional copy made of pixels, of bits and bytes, of a multitude of arithmetical operations.
It is the same with all data that we release into virtual space in any way – whether privately when we shop online or on the job when we use software and IT systems to do our work. We communicate via our data input with the software we use, with a platform, with an online shop. The data left behind is interpreted, evaluated, used and reused.
The sovereignty over my data
Would it not be desirable for us to have sovereignty over this externally determined use of the data? That we would have access to the data we have provided at all times, that we would know who is storing it where and for what purpose?
This is exactly what the concept of digital sovereignty is all about. Being digitally sovereign means that I have the possibility to decide for myself what happens with my data. I am digitally sovereign when I have full control at all times over where my data is stored, how it is backed up and, above all, who has access to it.
Digital sovereignty is a range of options
Digital sovereignty is not a state that can be switched on or off, but is rather to be understood as a space in which you can move according to your requirements. The matrix below, which was developed during the Digital Summit of the BMWI together with OSBA board member Peter Ganten, gives you a first overview to gradually assess where you can currently locate your digital sovereignty:
Corporate Fields of Action for Digital Sovereignty
After an initial orientation, the next step is to take a closer look at the different categories and to consider where and what need for action there is for you, your company or organisation. Where can and must something be improved?
Data
At the beginning there is the question: “Do I have full control over my company data? Most likely you will answer this question with “no”. “Full control” represents a (utopian) ideal situation and should rather be used as a basis for discussion. When and where does it make sense to have full control? Is this even possible in the ultimate consequence? Are there moments when “full control” can be a hurdle for business? At this point, we are also concerned with possible future effects when data is in the hands of others. What happens, for example, to my data that is in the hands of suppliers? Do I have access to it if, for example, the business relationship ends – for whatever reason? Which bugs and data leaks are already pre-programmed in software that I don’t know about?
Interfaces/APIs
Open APIs are often based on open standards and protocols (e.g. OpenID Connect to confirm identity). They allow developers to access data used by an application without any particular restrictions. This data can be retrieved at any time in a format, this means, the idea is to provide a complementary way to easily transfer data from one software solution to another.
Source code
Open Source is the headline of the day here. Open source software offers you transparency about the source code of a software. This transparency allows you to see what a software actually does and the insight into the code enables experts to check whether a backdoor is built in after all. The use of open source solutions is particularly beneficial if, for example, you are planning to change a provider. Open source software makes it easier to migrate from one software to another and integrate it into your existing open source stack. Usually open source software also allows you to modify the code to adapt it more individually to your needs.
Hardware
In order to think digital sovereignty as a whole, it makes sense to look at the hardware as well. Why? Hardware as a physical product is highly dependent on trade relations and legislation between states. Producers are bound by legal requirements (and thus also by the absence of requirements) of the specific country, which are not internationally unified. American and Chinese manufacturers, for example, produce under different standards and specifications than we are used to from goods produced in the European Union – especially with regard to the data security of the products. However, it should not go by unnoticed that the hardware procurement of EU products is not easy, as a large number of hardware suppliers are based in non-EU countries.
Diversity
Digital sovereignty means having control over your data. Your data is also your knowledge, you are the owner of your knowledge. Therefore you should always have the possibility and the freedom to handle this knowledge in the way you think is right – i.e. to change it, to adapt it or even to discard it. In order to do this, you need the possibility and freedom. Firstly, to be able to choose between different providers for the same/similar product and, secondly, to be able to switch from one provider to another without any problems or loss of data.
Individual skills
To be digitally confident, learning is necessary. You can only be digitally sovereign if you can apply your knowledge yourself. This does not mean that you have to do everything yourself, but it makes sense to know who can provide support when needed. Nevertheless, you should have a sound media competence and be able to use your digital tools well – even with a simple word processing program it is worthwhile to refresh your skills from time to time and/or acquire new features. Lifelong learning is the keyword here.
Jurisdiction
This is about looking beyond the edge of your company or organisation. Who do you work with? What legal regulations do your partners/stakeholders have to comply with? In the case of suppliers from the European Union, you can be sure that they are subject to the same laws as you are, i.e. they must observe the same protective rights, for example.
In this spirit: trust is good, digital sovereignty is better.