Navigating Europe’s Data Sovereignty Challenges

Patrick Spencer (00:00.896)
Hey everyone, welcome back to another Kitecast episode. I’m your host for today’s show, Patrick Spencer. I am joined with a special guest. We normally do not highlight folks internal to KiteWorks, but this guest we got to have on the show because everyone’s going to find his insights very interesting. We’re to be talking about data sovereignty, Rick Goud. I’ll try to not miss up his name too much.

A great Dutch name, Dr. Rick Goud, for that matter. He is the co-founder and chief innovation officer at Zivver, a secure digital communications platform launched in 2015, which Kiteworks acquired. Fortunately, we’re thrilled to have them on board back in the March, April timeframe. He has a PhD in decision support systems and a dual master’s degree in medical informatics and healthcare management, which is a

interesting background and now he’s in technology. Rick previously worked as a software engineer for over six years before starting Zivver for six years as a strategy consultant in healthcare where he saw the risk of mishandling sensitive data. The experience led him to create Zivver, which now helps over 10,000 organizations communicate securely while staying compliant with regulations like GDPR, HIPAA, NIST2.

Dora and so forth. So Rick, let’s talk about your background, which is quite interesting. How in the world did you get into the arena of technology to start with? And then how did you dive into this area of data sovereignty?

Rick Goud (01:50.958)
I’ll try to do short version, Patrick, but pleasure to be here. So in my younger days, I actually was a gamer I liked to game, but also wanted to be a medical doctor. But in the Netherlands, you have this crazy lottery system where you basically have to pick a number and then be lucky to go to medical school. Yes or no. I was unlucky or in hindsight, let’s call it lucky. So I had to find an alternative. And then I found a study called medical informatics, which actually combined both worlds. So it was 50%.

Patrick Spencer (02:08.16)
Hmm.

Rick Goud (02:20.974)
Whatever a doctor would learn so I had to dissect corpses as well, but also 50 % informatics and that’s where I learned how to program become a software engineer and actually roll into a PhD on decision support systems from there. So wanted to be a doctor but became a entrepreneur technologist. Thankfully, according to my wife.

Patrick Spencer (02:45.888)
Doodle luck, it sounds like.

Rick Goud (02:47.862)
Hi, so my wife is actually a medical doctor and she’s always says, patients are lucky that you’re not a doctor, so let’s take that for a compliment. Probably not.

Patrick Spencer (02:57.088)
So data sovereignty in particular, right? You got into technology due to the story you just told us, how, you know, data sovereignty has become an area of interest for you over the last few years in particular, I suspect sort of because of the nature of Zivver’s business, but probably for some other reasons as well.

Rick Goud (03:19.992)
Yeah, it actually started when we founded the Djerba a little over 10 years ago because back then you saw GDPR coming up. It was not yet announced, but you felt things boiling since Snowden building up towards the momentum of legislation. And we saw everybody using normal email, WhatsApp, fax machines, couriers to share very sensitive information and saw that that was not sustainable.

because email is a very insecure protocol by nature. It’s almost like a postcard. If the mail servers wants to intercept it and want to read it, they can, which of course is the contrast of data sovereignty because if you want to have control over your data, you want to make sure that only the people that need to read and need to access it are the ones that actually can read and access it. And so that was not common practice.

So GDPR coming up, saw a lot of people sharing very sensitive information in a very insecure way, saw it was not sustainable, and then said, hey, let’s try to find a way to let people remain using the email, remain using Outlook and Gmail because that’s what people are used to. And changing people’s behaviors is most difficult thing to do. So please do not try to do that. But from within the tools they are using, try to add this layer of data loss prevention, zero trust.

to make sure that only the people that need to know are the ones that can actually enter the data, which nowadays we call data sovereignty. That’s been a very hot topic since let’s call it the last 12 months, so to say. If you would have asked me 15 months ago, would we have a topic on people wanting to have their own data in their own position? I said, I hope so, but I do not see it happening yet.

Nowadays it’s a day to day conversation, at least in mainland Europe. How can we make sure that the Americans cannot access our data? That has been one of the most dominant topics in mainland Europe nowadays.

Patrick Spencer (05:15.71)
No. Well, and it’s now a conversation at the government level. And we’re going to talk about that a little more detail later on in the podcast. It’s just not a organization to organizational conversation, but the government entities are discussing the topic as well.

Rick Goud (05:31.97)
Yeah, very much so. And then those are the ones that are driving the conversation the most, but we’ll get into that later.

Patrick Spencer (05:39.05)
So your background prior to Zivver, you were dealing with medical information. I suspect, you know, the sensitivity around a lot of that data that you were exchanging and sharing, not only internally, but also with external third parties is probably one of the reasons that you have this keen interest in protecting everyone’s data and ensuring that it remains private.

Rick Goud (06:03.01)
Yeah, totally. So as a strategy consultant, we actually created a lot of models that we were trying to forecast the usage of healthcare consumption. But for that we needed a lot of data on a patient level to understand what are the number of tests they’re getting, what are the diagnosis, what is their treatment, etc. And had to collect a lot of data from a lot of hospitals. And so often I get so many highly sensitive files.

via random third party file transfer apps without any encryption on top of it that said, okay, but this is not sustainable and not the way that it should be done. And that indeed triggered me to think about how can we do it securely and easily because it’s always about finding that balance, right? We can make very secure applications that nobody will ever use because they’re just unusable. You have to find that balance between usability and security because otherwise you shoot yourself in the foot.

Patrick Spencer (06:52.606)
to you.

Rick Goud (06:59.532)
That balance is the holy grail.

Patrick Spencer (07:01.748)
Yeah, that was a great point. So that’s part of what prompted you to go and start Zivver from an email standpoint and security you wanted to have. I suspect something that’s easy to use, but at the same time, you know, had robust protections built into it.

Rick Goud (07:16.514)
Yeah, yeah, totally right. So we started by saying, okay, people are sharing sensitive information, but it needs to be secure. But if you talk about something needs to be secure, you need to understand what does secure mean or to rephrase what is the problem that you’re trying to mitigate or maybe to rephrase even further, what are the risks that you’re trying to mitigate? And if you look at ISO 27001, the Global Standard Information Security,

Nowadays, it actually states you need to start with your risk assessments because how else can you know what problem you’re trying to solve if you don’t know your risks? And when diving into the topic, you actually saw that if you talk about email communication, it’s not as simple as most people think because some people think, I have email encryption. That is secure email, right? But if you look at it from a risk perspective, you will uncover that.

Actually, there are four risks associated to email and the biggest risk by far is actually human error. So meaning by accident, people send something to the wrong Patrick, send you the wrong attachment. UK inhabitants know now since two weeks ago that also putting people in the CC instead of the BCC and or adding Excel files that contain hidden tabs is a serious risk.

You can talk about the data leak later if you want, but human error is the biggest cause of data leak. The second risk is people intercepting your email messages because I said by nature email is a postcard, people can intercept it. Security standards were added over time, but most of those security standards are opportunistic, which means that…

Your server tries to apply it, but it’s dependent on the recipient to also support the same standard. And if they don’t support it, it actually will fall back to unsecure messaging. And the problem with that is it can be tampered with. So not trying to go too technical on you here, but how email works. If I send an email message to you, my email server actually asks your email server, hey Patrick, do you do encryption?

Rick Goud (09:28.238)
If you answer yes, I will send it encrypted. But if you’re a server, if you say no, I will send it unencrypted. However, that question, Patrick, do you do encryption is sent unencrypted because I do not know yet if you use encryption, which makes it vulnerable to man in the middle attacks that can on your behalf say, no, I don’t do encryption, which forces me to send it unencrypted. And that is the chicken and the egg problem with email. You need to do Tudango.

Patrick Spencer (09:50.464)
Yep.

Rick Goud (09:54.862)
and the adoption of the true secure email standards like Dane, like S-MIME, PGP is so low that it’s a challenge. that interception is the second risk. The third risk is actually people breaking into people’s mailboxes because of the use of weak passwords without two-factor authentication. And the fourth risk is phishing malware and the external threats, so to say.

And if you look at these threats, you need to solve all these problems. And that is the journey we started on to help companies solve and tackle all these challenges, not focus on just encryption, make sure it is a comprehensive solution that takes away all the risks associated with email, not just a specific point solution.

Patrick Spencer (10:38.462)
Now, and you guys publish an annual report where you survey the industry, find out what the trends look like and so forth. And part of that report dives into those risks. I think your last report came out of back in March, April timeframe. If I remember correctly, it’s about a 40 page report. I encourage your audience. In fact, we’ll put a link at the bottom of the podcast so you can click on it it’ll take you directly over to that report. We encourage everyone to take a.

a gander at it because it has some really interesting insights. And I suspect now we’ll be teaming up with your team, Rick, to produce that on an annual basis. So it’s a KiteWorks Zivver combined report. So it’ll be even better than it has been. And it already is a great report. Now, talking about data sovereignty in Europe, Europe has probably the strongest, probably not probably, it does have the strongest.

laws when it comes to data sovereignty in the world. GDPR, everyone’s very familiar with, but there are other laws that have been passed. Most recently, we have the EU Data Act that’s coming into effect. I think it’s in September. We’re going spend a little time talking about it as well. But at the same time, paradoxically, Europe relies a lot on foreign cloud infrastructure. How can organizations in Europe solve this challenge?

Rick Goud (11:59.788)
Yeah, it’s very difficult to solve it in the short term, right? Because it’s not only cloud infrastructure that they are dependent on because there are European alternatives equivalents. However, the software that needs to run on it that you need to have to deliver or to work, email, file transfer, file collaboration, that type of stuff, that is what is currently lacking as a true European alternative. And in the past,

The US was seen as a trustworthy partner that has changed a little bit saying it a little bit pragmatically over the last couple of months, but also for a couple of reasons. But until a year ago, trusted Microsoft, trusted Google for taking care of your data. However, a couple of things have changed that change people’s perspective.

And one of them is it became more and more clear that actually while Microsoft and Google, of course, encrypt your data, they still have their or your keys on their infrastructure, making them vulnerable to insider threats, making them attractive to hackers, but more relevant over the last couple of months makes them subjective to governmental subpoenas.

And actually two or three weeks ago, a French Microsoft executive confirmed before a judge that actually there’s nothing that Microsoft can do to prevent US governments to request data that they have to comply without being, without notifying a customer. And that is a big problem. So with the current technology that Microsoft and Google offers, you cannot make sure that people do not have access to your data.

It’s currently based on a trust model, but that trust part has diminished a lot over the last couple of months. So that’s one. The other dimension of sovereignty is the continuity of service. And that has actually over the last couple of months gained a lot of traction because there was, well, rumor publications. Something really happened, but we do not know yet the details, but in The Hague. So I’m from the Netherlands, by the way.

Rick Goud (14:18.478)
The Hague is where the criminal court has his office, so to say. And the primary judge of the criminal court’s email account was blocked by Microsoft because Trump told Microsoft to do so. And then, of course, suddenly there’s another challenge. So apparently there is some type or some form of power that can say,

you need to stop delivering the service to a specific organization or specific person. So then there is not only the risk of people accessing your data, there’s actually a risk of somebody pressing a red button somewhere and then being able to discontinue the service. And that is of course a very different aspect of digital sovereignty, not only having control of your data, but also making sure that you have access to your data at your own will. And those two topics are now very much top of mind.

Patrick Spencer (14:57.791)
Yeah.

Rick Goud (15:17.806)
for many governmental organizations that trusted US cloud but indeed do that less since the last couple of months, so to say.

Patrick Spencer (15:28.85)
Interesting. There’s going be even more of that. We’re working on a quarterly compliance report that will start to capture all that data, not necessarily in real time, although we’re using AI to do it. So I guess one could say it’s in virtual AI, in virtual real time. We’ll be publishing that in a quarterly report that I think our audience will find useful. And obviously data sovereignty would be a key part of that report. Now, Rick, you described the challenge in a great way, but

there’s always an economic component involved at the same time. So if you look at these data localization requirements for an average organization, increase their costs associated with a particular communication channel, I think the research shows about 55%. So how do organizations try to address the problem without breaking their piggy bank at the same time?

Rick Goud (16:23.854)
Yeah, but I think that’s the biggest challenge, right? And that is why previously a lot of organizations said, I want to go with M365 only because, well, I want to get rid of point solutions because it saves me money. But it boils down to what are the risks that you’re trying to mitigate, right? Because there are many risks that you’re trying to mitigate and as any organization should do, you have the risk and the likelihood of the risk and what is the impact of actually the risk happening.

And then you have to put it from the top risk of chance multiplied by impact. is then the biggest risk that you need to mitigate. And that very much depends per company, right? But you can imagine that the continuity risk that somebody actually pressing a red button and discontinuing your service is only relevant for a very small part of organizations. risk of

people actually accessing your data is much bigger. So also there you need a layered approach. If you are a defense agency, a organization working with very sensitive IP that is currently potentially very attractive to specific governments and or hackers, then you need to put your money where your mouth is because you need to have full control over your data. But if you’re a hospital, then getting rid of

US cloud is probably not realistic, not cost effective, but then making sure that you add an encryption layer on top of your very sensitive information to make sure that Microsoft Google does not have your keys and therefore is not vulnerable to cloud tech and that type of risk. That’s a very pragmatic solution that is not per se the most costly ones. But again, then starting with risks, depending on your risk, you need to have the appropriate measures in place.

But that doesn’t always mean you have to fully get rid of US cloud or in hardly every means. But there are solutions like the ones that Zivver offers, GuideWorks offers that allows a more gradual approach for your very sensitive information. Well, you can make specific measures that allow you to still use US cloud, but for specific use cases and offer specific departments allows you to have things on premise in private cloud and or add an encryption layer on top of that that would

Rick Goud (18:44.062)
mitigate that risks. And from that perspective, every deal that we are doing, and we have over 11,000 organizations as ever, the kite works has thousands as well, that business case has worked, but it should not be a full-fledged drop all your US clouds and move to a local cloud vendor. Because also it’s not possible because for many of the processes, the actual tools are missing, not the data centers. But again, that is…

something that

Patrick Spencer (19:14.676)
The the economics are almost impossible to move to a local provider in many instances.

Rick Goud (19:20.578)
And not only the economics changing your employees behavior and not only your employees behavior but also the people you communicate with to make sure that they from one day to another have to drop the tools that they are using and then move to something else is not only a cost of different technology but also is impactful. having a more intelligent gradual approach is the most sensible way to go.

Patrick Spencer (19:45.376)
Yeah, very, very well said. Well, there’s a tool soup out there as well when it comes to all the tools organizations use to exchange sensitive data, whether it’s email or file sharing or MFT, they have a different tool for each of them. All of them vary. They all dump their logs into separate batches. It’s hard to get to. our annual report, which will be out by the time this podcast is published, most likely we ask a couple of questions around private.

enhancing technology, multi-factor, double encryption, SIM and other advanced technologies. And you’d be surprised and shocked or maybe not the low percentage of organizations that have PET technologies in place. And those who didn’t know different things in regards to the security posture.

the number of pet tools basically don’t exist because they’re not aware. And those that didn’t know what pet technologies they have in place, the number of breaches and the cost of the breaches and so forth all went up. So you need to have those pieces as you just described. So transitioning over to a slightly different topic still related to data sovereignty, but this is in regards to post-Shrim or however you might say it in Europe too.

Rick Goud (21:07.948)
Yeah, shrimps too. Yes, yes, yeah.

Patrick Spencer (21:10.528)
Cross border data transfers after the fact are probably a bit uncertain right now. What’s your opinion on what that ruling says and where organizations are headed?

Rick Goud (21:24.898)
Yeah, it’s very interesting, right? Because it very much depends on the IFDB holder, whether they you think that currently the privacy shield type of model clauses are sufficient. Yes, yes or no. Interestingly, lot of well, governmental organizations currently still think it is sufficient. Whether in practice that is something that is just wishful thinking or is is true.

Probably most know it’s not true. However, they think they have better fish to fry slash it’s too costly to mitigate that risk. The organizations that we typically work with say, well, there are two ways to basically control your data. One is to have your data. The other one is to have your keys. A pragmatic way to make sure that you are not affected by any data transfer is just to make sure that you own your keys. And then

stuff can be on any cloud service, can even be on Facebook because with current technology, not talking about post quantum, but talking about the current technology, you need 800 years to decrypt a single file if you use something like RSA 2048 to encrypt your data. And that is sometimes an even more pragmatic choice, right? To keep on using Microsoft, to keep on using Gmail, because to be honest, there is not a true alternative for the entire service yet.

But if you use a zero access, zero trust encryption layer on top of it where you keep your keys, and not Microsoft, not AWS, not Gmail, then you can still mitigate any of the transfer risks. Because even if it would be transferred, even if somebody would have access, they lack the keys to decrypt your data, making you invulnerable to any of the true risks that lie with the data transfer, so to say.

Patrick Spencer (23:15.744)
That makes a lot of sense. Now, every podcast would be remiss if we didn’t talk about AI. We published a report back in June that had some startling revelations. And I think the numbers are probably higher than they actually are. And then there’s been a whole slew of different reports that have come out since then. The upside is it seems that ours was sort of the bellwether that set the stage for all these other reports have been published.

But we found 17 % of organizations when it comes to AI actually have the right technical controls in place to ensure that data, sensitive data, private data isn’t leaking into third parties and others that don’t truly have access to it or shouldn’t have access to it. We’ll put it that way. With the explosion of AI, there’s all this data that’s being produced, Rick. You see that as…

making data sovereignty, particularly cross-border transfers of data and maintenance management, that data more complex.

Rick Goud (24:17.642)
totally right. So that makes it much, more complex. The holy grail for that is data classification or labeling, whatever you like to call it. If you know what data is sensitive, then it’s much easier to make sure that people are not sending it to the wrong Patrick and or not uploading it to the wrong AI that you do not want to have your data in. So I think the only way to truly solve the AI challenge is to make sure that organizations adopt

a classification system that actually works for them. And that is, think, something that will be an evolving field over the months and years to come, because you hear a lot of organizations trying to adopt a classification scheme, a labeling scheme, talk about implementing Purview, but very much are still dependent on manual labeling by employees, which we know they won’t do, or they will choose the first label because they actually do not know your policy by heart.

making sure that you actually use AI for the good purpose, namely to make sure that you intelligently classify your data, know what is sensitive and therefore can protect it. That I think will be a very important application of AI in the months and years to come. Because traditionally, well, there were of course a lot of tools or algorithms that you could use to classify data. However, getting too sensitive.

or sensible models require a lot of training data. I think with all the possibilities that LLMs nowadays provide and putting that into in the works for organizations to actually help them better prevent data. That is where AI can be very valuable nowadays. It’s more a threat that people upload it to places that it should not be uploaded to. So two sides of the metal there.

It can help organizations, while currently probably it’s for most of them a threat.

Patrick Spencer (26:15.744)
Yeah, I agree. Zivver has some cool technologies on that front from a tagging standpoint, and then Kyworks has anomaly detection that picks up on instances where there’s an anomaly with data upload and highlights it as a risk. So organizations can check out both of our websites for more information on that front. I’m looking at our questions here, some that I think might be of interest. What technical standards

today do you think are missing in order for us to achieve true data sovereignty? You described some of those already, but what do you think is needed in order to help organizations facilitate better data sovereignty so some of the problems you just described don’t occur?

Rick Goud (27:02.22)
Yeah, so if you talk about data sovereignty, are two aspects of technology that you need in order to make sure that the data is sovereign. A, you need a specific type of encryption that indeed make sure that only the people that need to have access to the data have access to the keys. And while there are many encryption standards, there are not too many standards that are actually available.

that work on your files or on your emails. So for emails, there’s S-MIME and PGP. However, that’s from a technological perspective is hard to put into practice for everybody in the world. Recipients typically also need to install something and at Kiteworks, we found a very good way to make sure that we can apply S-MIME while not everybody needs to use it, but it still has some limitations up to specific file sizes.

While for encrypting of files, there are standards, but that’s something that allows sharing across organizations. think that is something that needs to be developed to have a standard that allows us to share information in an encrypted way across organizations on the one hand, but also that is where then identity and access management comes into play. That you want to be sure that Patrick is Patrick and that he’s authorized to actually get access to the data. And that is where potentially in Europe, there could be a

new way to do that. So I do not know to what extent you know, but in the Netherlands or in Europe, AIDAS 2 was accepted two years ago, which basically talks about a lot of digital services that from a European perspective needs to be developed, of which a single identity for any Europeans is one of them. So currently many European states are developing what is called a wallet.

which basically is something, well, think of the normal wallet that you own, but it contains your information on your identity. Getting to a single standard that allows me to know that you are Patrick, that you are truly Patrick, and what role, what attributes, what rights do you have. That combining with encryption, that is what is needed in order to make it truly secure. And there are some interesting standards.

Rick Goud (29:27.118)
currently being developed and being implemented. However, it is a little bit in its infancy and not yet supported by the big vendors. But that is something that I think we, with Kiteworks, will also be involved in a lot to help develop these standards and bring them to implementation. Because that is needed to have true digital sovereignty, not to own your data, because companies can be acquired also if things are on a European data center.

The data center still needs to be secure because the hackers will try to get in the data center. And probably then you have a bigger problem than you would have used a US cloud, so to say, but good encryption, good identity access management and combining those two that will be needed in order to have true data sovereignty with data sharing on top.

Patrick Spencer (30:19.41)
Interesting. Some good insights. Now, speaking of frameworks, the Trust Data Framework, TDF, is emerging alongside the EU Data Act, the EU AI Act. How do all these different pieces sort of fit together?

Rick Goud (30:34.83)
Yeah, that’s a challenge. Will they fit together? Right. So that is, think, something that if it’s funded and if big organizations will stand behind it, they will merge into each other. However, there is always a risk with these type of legislations that it’s something that on paper exists, but in practice, not too many people will follow. I think general in Europe, have a tendency that we have a lot of legislation. We have GDPR since 2018 and by

word by mouth, everybody says they comply to GDPR, but if you ask them five to six simple questions, the basics are not implemented. And I think that is, for example, in the US with CMMC and that type of standards, it’s much more if you do it with full force. Hopefully in Europe with NIST 2 being adopted with the Dora being into effect with Eidos.

Patrick Spencer (31:10.976)
They don’t really, all their confidence, yep.

Rick Goud (31:33.304)
coming more and more to fruition. We will find a way to merge all these standards into something that will be practical for organizations. But yeah, it’s a little bit of hope and hope is not per se a strategy. is talking to a lot of stakeholders and trying to make sure that with everything that is happening in the world on a political level nowadays, that they understand they need to invest in these type of standards and the adoption because the…

trust model that we had before is just not future proof anymore.

Patrick Spencer (32:03.744)
changed. How prepared do you think organizations are for some of these new regulations? GDPR obviously has been in place for quite a while. Some of these others have been put into effect, but like the data act that’s coming up is it September. And we did ask this question in our report that I referenced and everyone can check out the findings, but there’s a lot of, they still have quite a

distance to go before it goes into effect in September based on what we discovered.

Rick Goud (32:36.43)
Yeah, yeah, but yes, but if you talk about this too and talk about Dora, which is already in fact, most organizations are just starting. Yeah, just talking about and the same we saw with GDPR GDPR. It was actually we came into effect in May 2018 and that was typically that was the month where we saw the highest sales because that was the month. Oh, now I need to do something. And then people started to think we will see.

Patrick Spencer (32:44.648)
adoption rates are low.

Rick Goud (33:04.352)
Same with NISTU because as you might or might not know NISTU is what’s called a directive, which actually means it’s a guideline that every country still has to translate into local legislation and they should have had, they should have translated it into local legislation the 24th of October of 2024. So almost a year ago, I think currently three European countries have actually done that.

including Belgium and a couple of others. So the far majority has still not translated the NIST directive into local legislation. For example, the Netherlands, country again, where I’m from, it will come into effect somewhere in the first half of 2026. So almost one and a half year later. how it works in Europe, something needs to come into effect and then people actually start to think and to act. And of course we have the five or 10 % of the

front runners that have everything in order, but the farm majority will only start to act if there will be fines, if there will be data leaks that come into the media and then see level people say, we need to act as well. You need to create or there needs to be that virality effect, that spiral effect that will push people to higher standards. That is not a single moment. It will be a gradual process over the next five years.

Patrick Spencer (34:28.042)
When I, you know, many organizations think, well, the governing bodies will find the big boys, Google, Microsoft, so forth across the board. Those will be the ones that go after, which quite frankly, often is the case as we all know, but they also go after others. So I think it’s a misnomer that many of these organizations think, well, I’m safe because I’m so small. I’m not significant enough that they’re not going to go and find me. I assume that’s a, a.

a false misunderstanding or a false hope.

Rick Goud (35:00.91)
Yeah, it’s a false misunderstanding, but also it varies very much between countries. while we potentially are sharing links, Patrick, as part of his podcast, what DLA Piper does every year very well is to provide a report, a yearly report on the number of data leaks and the number of fines given by European countries since GDPR, because since GDPR, every country has to have a reporting authority.

and that authority can give fines to companies. And as you might expect, Ireland has the biggest number of fines because a lot of those big vendors like the Microsoft and the Googles are in Ireland. But it also is very interesting that, for example, Spain is a country where a lot of smaller companies actually do get fined for simple things like cookies were not in place. People…

Patrick Spencer (35:41.874)
Ireland.

Rick Goud (35:56.21)
were unable to ask for their personal data etc. But also a year ago the European Commission has issued a new guidance where they actually push for more standardization on the height of the fines and the reasons for giving a fine. So also there you see a slow step up, people learn from mistakes, see that there’s a big distinction between countries. But indeed it is

not true that only the big ones are being fined. If you look at various countries like Spain, like Italy, like the Netherlands, there are also a lot of smaller players that are being fined and it is slowly increasing over time because low-hanging fruit is gone and now the companies that do not act properly, everyone will be at risk increasing the

Patrick Spencer (36:46.92)
Everyone is at risk.

Rick Goud (36:52.082)
Because well, that’s also how it works, right? Best practices will do a step up and if you do not follow the pace, you will actually be the ones that fall behind and then you are at risk. So you need to make sure you follow best practices and then you’ll be fine. If you sit, and relax, then indeed your time most likely will come for a fine rather sooner than later.

Patrick Spencer (37:20.362)
So we, like most issues that we face from a technology standpoint, it becomes a hairball and then we try to solve it. And we throw a bunch of different solutions at it. If you were to start over from a data sovereignty standpoint, and say it’s an organization that hasn’t built all these technologies up and they’re starting from scratch, what would be your wish list? How should they go about tackling data sovereignty?

Rick Goud (37:48.002)
Yeah, so I think it’s a very, very interesting challenge, right? Because it’s, so if as an entrepreneur, I would see this as the perfect momentum to actually develop initiatives to, well, try to jump on that sovereignty wagon as an organization itself. It is very hard to solve because you’re dependent on technology vendors to actually provide technology that runs on premise that has zero trust access.

that is able to have attributes based access control and role based access control. And those technologies cannot be developed overnight, right? And that is why GuideWorks is so uniquely positioned to fill in that gap. But that has been a development over the last 15 years to develop the technology that supports that type of controls. Yes. So, so if I would be an organization

I would indeed scan these type of technologies, but also make sure that you’re not alone, right? The biggest risk that you will face is that you work with a startup, you work with a small company, you invested it and then it’s being acquired and or it goes bankrupt and the last risk is 90 % higher than the first. You have a challenge. So make sure you work with trusted vendors that can help you.

tackle the data sovereignty space, but also pair up with peers on a local level, on an international level to make sure that you’re not alone in solving this problem because rest assured, this is every C-levels discussion they’re having right now. So finding the people that are willing to co-invest because then you can learn from each other. You can actually solve some of the problems and challenges together. So that would be my take. Find partners that…

have the same mindset from a technology vendor perspective, but also from a peer perspective that allows you to work together to solve this interesting challenge.

Patrick Spencer (39:53.482)
Good suggestions. Well, we’re about out of time, Rick. Any parting thoughts for our audience in terms of tips, strategies? Where should they go if they are struggling with data sovereignty, they have concerns? Where should they start?

Rick Goud (40:06.734)
So I always say, and again, it’s a little bit maybe for me easy to say, but talking about data sovereignty in a way that you have to move everything away to another cloud that is in your country or on premise. It’s not a bad choice. However, there is so much low hanging fruit lying around that probably you should start at first if you talk about data sovereignty and just to give you a couple of examples.

As shared, one of the standards that would allow an email to be securely sent from your server to the recipient server is called DANE. It’s a DNS based authentication of named entities. It’s a security layer on top of SMTP, on top of TLS. Since 10 years, it is the standard to make sure you properly encrypt your data. It’s an open standard.

However, in the world, it’s adopted for, let’s say, 5, 15 to 20%. It is available for every MicroVolts 365 user to organization to activate it in five minutes time today or tomorrow. DMARC. So what DMARC is is a standard that makes sure that nobody can pretend to send something on behalf of Patrick at kiteworks.com. Adoption of DMARC in the world is around 30 to 40%.

My point is work with vendors, work with MSPs who can help you identify your current risks and rest assured there is a lot of low hanging fruit that you can start with and you do not have to start moving all your infrastructure to another country. It can be part of the plan, but start with low hanging fruit related to email encryption, related to file encryption, related to ensuring or securing your data.

That can be done in hours, two days while moving to another data center. Can be months, two years, or even more. So start with low hanging fruit. Start from a risk-based perspective. And probably email and files are your biggest risk because that is the moment where it’s being shared with the external world. Start there and take it there step by step. But start with low hanging fruit.

Patrick Spencer (42:29.63)
Yeah, great suggestions. We have some coverage from a, just an insight standpoint in our annual report, which will be available when this podcast goes live. So you can check that out, but we’re getting ready with Rick’s team to actually run a more in-depth study around just data sovereignty, which we plan to publish in October. So if you’re listening to this podcast and it’s after October, then you want to check that out on the Kiteworks and Zivver websites.

If not, you have something to look forward to because I’m sure we’re going to have some interesting insights that we uncover from that survey. then two, I suspect we’ll also have Rick and maybe one or two others back to talk about the insights on the podcast. So Rick, thanks so much for your time today. Great conversation. Anyone who’s interested in data sovereignty will find this conversation very helpful.

Rick Goud (43:20.11)
Thanks for inviting me, Patrick. everybody that’s listening that also wants to have a discussion on data sovereignty and wants to, well, know on ways to solve the problem, do reach out to any of us to have this conversation. It’s something that we talk about every day and probably we know more about than others. And we can also bring you to contact with organizations that struggled with similar problems like yourself. looking forward to these conversations.

Patrick Spencer (43:45.696)
It’s out on the website and then Rick’s LinkedIn profile is a great way to get in touch with him directly.

Rick Goud (43:52.056)
Thank

Patrick Spencer (43:52.692)
Thanks everybody. Check out other Kitecast at kiteworks.com forward slash Kitecast. Thanks for joining us.

Rick Goud (44:00.974)
great day.