By Edwin Weijdema – South African organisations are moving deeper into cloud-driven operations. Banks are modernising core platforms. Insurers are adopting AI-based risk engines. Mining companies are connecting operational technology to analytics platforms. Municipalities are digitising citizen services and utility infrastructure.
This acceleration creates opportunity, but it also sharpens a difficult question. How do organisations gain the agility of modern cloud platforms without surrendering control of their data?
This is the practical challenge at the heart of data sovereignty. Too much control can slow innovation and inflate costs. Too much reliance on external platforms can introduce jurisdictional, operational, and recovery risk. The goal is not to choose one extreme or the other, but to design an environment where both control and agility are achievable.
In South Africa, that balancing act is influenced by specific conditions. Many cloud services used by local organisations are hosted in data centres outside the country. Cross-border data flows are common. Connectivity disruptions remain a reality. Regulatory accountability for data protection is explicit under the Protection of Personal Information Act, with breach notification obligations enforced by the Information Regulator.
In financial services, governance expectations extend further. The Financial Sector Conduct Authority and the Prudential Authority require demonstrable technology risk management, third-party oversight, and cyber-resilience capabilities.
These frameworks define accountability but do not dictate the architecture. That design responsibility sits with technology and security leaders. A resilient data sovereignty strategy, therefore, needs practical building blocks that support both regulatory compliance and operational continuity.
Data here, there, and everywhere
The first building block is visibility. Organisations need to know what data they hold, where it resides, how it moves, and who can access it. Without this, sovereignty decisions become guesswork. Classification and mapping of sensitive, regulated, and operationally critical data is the starting point for meaningful control.
And that is no easy feat. In 2024 alone, 149 zettabytes of data were created, captured, copied, and consumed, with that expected to have risen to 181 zettabytes at the end of 2025.
The second building block is policy and governance. Once the data is understood, organisations must define where specific datasets may be processed, which platforms are approved, how access is governed, and how encryption keys are managed. This is where residency requirements, contractual terms with cloud providers, and internal governance frameworks intersect.
The third building block is resilience. Sovereignty cannot exist without reliable recovery. If data is corrupted, encrypted by attackers, or rendered unavailable through platform disruption, paper ownership does not translate into practical control. Verified backups, immutable data copies, and tested recovery orchestration ensure that organisations can restore trusted data and resume operations under pressure.
For organisations running digital customer platforms, financial transaction systems, operational technology, or infrastructure control environments, resilience is inseparable from sovereignty. If recovery is slow or uncertain, the organisation is effectively dependent on external actors, whether cloud providers, threat groups, or geopolitical events.
The final building block is continuous validation. Sovereignty is not a once-off project. Data flows change. Applications are modernised. New cloud services are adopted. Mergers, outsourcing arrangements, and platform upgrades introduce new dependencies. Governance, risk, and recovery capabilities must be tested and adjusted regularly to remain effective.
Striking the right balance
This is why data sovereignty should be treated as an iterative strategy rather than a fixed destination. Organisations need to decide how much control they require, how much agility they are willing to trade, and how they will maintain resilience as technology environments evolve.
Thoroughly managing the data lifecycle is becoming increasingly vital for businesses as AI drives rapid data growth, which could lead to exponential cost increases if organisations fail to establish these processes now.
For South African boards and executive teams, this is now an enterprise risk decision. Choices about cloud adoption, data location, recovery architecture, and third-party dependency sit alongside financial risk, supply chain exposure, and regulatory compliance.
A resilient data sovereignty strategy does not reject innovation. It enables it. Organisations that build visibility, governance, and recovery into their data environments from the start will be better positioned to adopt new technologies, expand across regions, and operate confidently in uncertain conditions.
Those who avoid critically assessing their data strategy may end up with convenience, but not the control essential for true resilience.
Edwin Weijdema is the field chief technology officer: EMEA and cybersecurity lead at Veeam