If you want go from gut feel to insight inspired, this is the Data Diaries with your hosts from Dexibit, Ravi Chandra and Angie Judge. The best podcast for visitor attraction leaders passionate about data and AI. This episode is brought to you by Dexibit. We provide data analytics and AI software specifically for visitor attractions so you can reduce total time to insight and total cost of ownership while democratizing data and improving your team’s agility. Here comes the show!

Angie: I was on the highway the other day and there was this billboard up there. I won’t call out any company names, but it was of a local IT shop and they had a picture of Donald Trump waving his finger and they had some words up there about, ‘don’t let Trump get his hands on your data’.

And I thought it’s exactly the kind of gaslighting data sovereignty BS that we want to myth bust in this session. And, Ravi’s gonna thankfully school us all on how to think about data sovereignty.

Ravi : Indeed.

Angie: So Ravi, maybe we can start off with this. Like who should be thinking about data sovereignty when we’re thinking about visitor attractions and data, like, whose job is it to worry about this stuff?

Ravi : Well. If you are leveraging data across your visitor traction or your business, and of course you should be right, given that data is a key ingredient to making great decisions, you should care or at least have some awareness about the implications, especially if you’re dealing with customer data.

And so naturally that’s a core function of traditional like government governance or info security teams. But in our experience, some of these personas can take relatively extreme positions in order to avoid risk. And it’s like if you choose to never take a flight, well, you’ll never be involved in an airplane crash.

Right? But flights are a very pragmatic choice, especially if you need to travel long distances like over the Atlantic Ocean. And I suspect there is many out there that would say, actually air travel is the safest mode of transport out of all of them. So all of this is to say is that awareness at the leadership and exec level is incredibly important in my opinion, because data use can correlate with incredible outcomes on the ground.

 And I think it’s really important to have that awareness in order to take a pragmatic position across the business as opposed to through just looking through a specific lens such as security.

Angie: Yeah, I always think that relationship between, and in this case, it’s kind of like that triangle, isn’t it? Between the business technology and sort of legal security risk, et cetera. It’s the business’s job to be the tension. To, and like you say, like you can choose not to get on the plane, but also you’ll never see the world. And the same is true with Data and it’s a business’s job to be the tension. I mean, some of the best lawyers and some of the best IT security experts that I’ve met in my life have been that, risk pragmatic kind of profile where they say, oh, you know, we can go to this extreme and be this dogmatic, but with this reality and this reality, these are your options and these are your choices and this is kind of how you can play it and the pros and cons. But for the most part, a lot of people in these roles are fairly, extremely risk adverse and present a zero tolerance view back to the executive, which is, unless you’ve kind of schooled yourself up to, to provide that tension, a really hard place to battle from.

Ravi : That’s exactly, and this is all about what makes data such a difficult topic. Because there’s so much misinformation and fearmongering out there, and it’s that natural tension because data is seen as a sort of, you know, this slightly geeky, deep technical space.

It’s difficult without having some awareness and confidence around data sovereignty to participate in those conversations. And I think leaders and execs at this level they do need to be at the table because pragmatism is super important at a holistic level.

And unlike a physical asset, digital assets like data they’re so easy to clone and store and each copy is subject to different rules depending on like the local jurisdiction and any sort of legal framework that’s applicable to, to all of those parties handling that data in between. And so this creates this incredibly complex supply chain, and many of those touch points are actually outside of your control.

And, sometimes even the best of us in governance and InfoSec don’t actually realize that they don’t know about all of the parties along the supply chain.

Angie: Yeah, so many different systems and so many different attributes and so many different people using them and. So many different applications and ways that the data can be sliced and diced. It’s almost impossible for those in the risk team to keep their arms around the whole lot, let alone understand it, a deep technical level if they’re not that place themselves.

Ravi : That’s right.

Angie: And maybe you could explain just for the grandmas amongst us, like me, what is the difference between data sovereignty versus data residency? Like, how should we be framing and thinking about where one ends and the other starts?

Ravi : Well, it’s actually really simple. Data residency, which you may or may not have heard of because I think it’s often forgotten, but data ‘residency’ refers to where data is actually physically stored. Data ‘sovereignty’ refers to who can legally access it. The complication is that this distinction is not well understood, and we’ve seen many of the customers that we interact with conflate these concepts and probably most concerning, they’re unsure of the real motivation behind the requirements that they’re asking about.

And, and often it’s because they’re just trying to tick a box that they’ve got from another part of the organization. So it really comes back to that awareness of the concepts at play.

Angie: It’s funny you say that, and I think this is such an important point, that you’re making here because in the lifetime of the Dexibit, I’ve had, I don’t know, hundreds of conversations about data ‘sovereignty’.

I have never ever heard a customer or a prospect used the word data ‘residency’, or the term data residency. And yet I think every single one of those conversations has been about data residency and not data sovereignty.

Ravi : I totally believe you because if this conflation between the two terms, so what I’m saying is that box might not make much sense if you don’t understand the difference between data residency and data sovereignty. So let me give all of the listeners out there an example to make this really clear. Dexibit, we are a software as a service. So we rely on the cloud and we store all of our data in the cloud.

Let’s say we choose to use the Amazon AWS cloud provider, and we choose the Sydney Australia Data Center region. What that means is that data residency is really straightforward. Our copy of your data is stored in Sydney, Australia, and remember that’s just our copy of your data, so we can’t speak to the data residency of other copies.

But now data sovereignty, that is really who can legally access it. It is a much more complex conversation. Obviously the copy that we store will be controlled by us and we will manage and restrict access to it. But it’s also under the Australian jurisdiction, given that it’s stored in Sydney. And here’s a really interesting thing because AWS is an American company, it is bound by the US Cloud Act, which creates a pathway for the US Federal Government to also access that data. And I think that’s a big thing that a lot of people are unaware of the US Cloud Act.

Angie: You know what’s hilarious? That billboard that was up on the highway as well as having a picture of Donald Trump, it also had, I still won’t say what the company was, but they did have Microsoft’s logo on that with ‘Microsoft certified partner’.

Even though they were sort of advertising about this sort of issue of gaslighting around data sovereignty or data residency, I’m getting the two mixed up again. They were in fact working with an international partner who is going to be subject to the Cloud Act, like you say.

Ravi : That’s super funny because I think the Cloud act actually originated due to a legal dispute between Microsoft and the United States government.

And my memory’s a bit hazy, but I believe the US government were trying to get Microsoft to provide data from this servers in Ireland, and they created this act to basically allow them to get access to that. So yeah, it’s been put in place so that, the US authorities can compel tech companies to provide data regardless of where it’s stored.

It also is supported by these bilateral exclusive agreements between countries, between the US and other countries. In order to streamline that process, but clearly its impact is significant. It’s completely reshaped how we even think about data sovereignty. Because US tech companies are almost always involved when it comes to the internet in general.

Angie: And that’s where we start to get into it, right? Like if you want to live in a world where your organization operates on the internet, or if you want to operate a technology strategy, which embraces software as a service of any kind, or cloud computing of any kind, in this day and age, let alone if you’re using data that’s coming out of Google Analytics or Meta or whatever, like you are already in this world. So it’s not a question of a binary in it or not in it. And this is where we come back to the risk profile of like, legitimately, how interested is the US federal government in intercepting your data? And the truth of the matter is probably not that interested. So are we all worrying about nothing?

Ravi : Well, I think so. Of course that’s my hot take. But to add some color to your point again, I’d love to walk through an example. So let’s say that you have an online review that a customer has made about your business and your business is based in New Zealand, and the customer’s posted that review on Google reviews

Angie: …publicly,

Ravi : publicly.

So who actually owns the content?

Angie: Google.

Ravi : No, it’s actually the customer. The customer owns that content, so as in the text of their review, but by posting it on Google, they have implicitly agreed to the terms and service of Google, which gives Google broad rights to the custody and control of the data and what that means through the implicit. In terms of service is that the customer has granted Google the permission to store process and use that content

Angie: exclusive, non-exclusive global rights or whatever they call them, license to content, right?

Ravi : I guess so. And so as the owner of the business, you are able to consume and access that data as per Google’s policies. But of course Google is still subject to the Cloud Act that we mentioned before. And also the stored Communications Act again use federal law, but the New Zealand law might still apply in this case, for example, in cases of like defamation or if, if PII or personal data was involved in the content of that review.

So to go back to your original question. Things are extremely complex and if the data originated in systems that reside in the US or a US tech company was involved anywhere along that supply chain, the pathways to fall that for the data to fall into US hands are obviously there. So it just shows how challenging it can be to truly be in control of your data sovereignty.

And I think going back to your point. Really taking a holistic approach to risk management, classic risk management, is the way to solve these problems.

Angie: Can you actually achieve immunity from US jurisdiction? In today’s day and age?

Ravi : There is little that we nor any provider can do to truly address data sovereignty concerns or avoid the wrath of the US Department of Justice, short of building locally without any piece of US cloud infrastructure. That means no Amazon, no Azure, no GCP, no Snowflake, Databricks, et cetera, and that still applies if you’re running a hybrid or an on-premise model.

Because the software, the control planes are often still residing and owned by the US company, the parent company. Many would probably still advocate for such an approach, but it’s gonna be hugely challenging in its own right and certainly expensive Worst case is actually that lack of awareness because you believe that you’re immune. You think that you’re immune, but you don’t realize you’ve got a small piece of key infrastructure that is still susceptible to the US Cloud Act. And so you’ve accomplished the worst of, of all worlds.

Angie: So it comes back to this key myth that location does not equal control.

Ravi : I think so, yes.

Angie: And so with all of this complexity and uncertainty, what would you say is your recommendation for our leaders out in visitor attractions who are having to, you know, have that debate internally with risk and technology and security having to make decisions and maybe ultimately hold responsibility with that, or needing to step up and take that responsibility as a result of the decision process. What do you suggest for them?

Ravi : My hot take is that you apply classic risk management techniques once you ignore the specific nature of data and the murky waters of cross border legislation. The important job is to understand the risks. At play, the types of risks, the severity, and ensure that you’ve got an acceptable management plan in place and most of the cultural organizations that we work with, there will always be experts to help the exec team through these challenges.

And while avoiding data risks at all costs might make their jobs easier. One, it might be that you’re actually already susceptible to risks and you don’t realize it like, you’re reliant on US origin sources, and two, avoiding data is unlikely to be part of a successful data strategy.

Angie: Ain’t that the truth.

Ravi : So as long as you’ve got a good solid risk management plan in place, you’ll probably end up in a really pragmatic and powerful position.

Angie: If anything, you could sort of cut off your nose to save your face at this point, like, you know, like if you’re avoiding using the cloud and software as a service to try and avoid all data risk, you’ll probably end up with some horrific on-prem system that’s subject to all sorts of security slackness and hasn’t stood up to the same rigor that some of the vendors would in the first place.

Ravi : We see that all the time. It’s been the driver for many, many technical decisions that I think might’ve made sense, but missed the bigger picture.

Angie: I used to work in, the telecommunications and before that, finance and banking industry. And one of the things we used to worry about when it came to data geography was actually the opposite.

For those who don’t know us. At Dexibit we are based out of New Zealand, hence the accents which is a land of milk and honey, earthquakes and volcanoes, and subject to the odd tsunami as well. Which makes it a interesting place to think about data reliability and when it comes to the worst of the worst.

And so one of the things that, the big banks and the telecommunications companies worried about back in the day when we all had these on-prem systems, was what would happen if the city of Auckland was no longer standing or the CBD was gone. And the building where we house these data centers that we used to have on site was no longer a thing.

And so we would refer to, you know, different geographies in the country to keep copies of this data in places that were a little bit further in land that didn’t get quite so many earthquakes and all the rest of it, and didn’t have as many volcanoes as the 54 we have in Auckland. But then we would also think about, well, what if the most of the country was overcome and whether we should keep a copy of our data in Australia or even further afield.

And this is kind of the opposite problem of what we’re talking about here, and we’ve almost swung the other way with thinking too hard about this risk of, who’s got access to our data that we can almost get back into this land of thinking about the risks of having data all in one place. But there’s also sort of that risk of avoiding the internet and avoiding SaaS.

 So we’ve almost come full circle on this. Like to go from a space where we’re subject to all of these risks of having data and too much in one place and too local to now having all of the benefits of cloud computing and software as a service and the digital world at our fingertips and feeling too exposed that way and trying to come back the other.

So I think all of the advice that you’ve given is fantastic on the sort of pragmatic balancing of risks. But when we come, to the heart of those, like what do the laws actually say in the jurisdictions of the countries of the western world that most visitor attractions that we talk to operate in?

Ravi: Yeah. Well, as far as I know, most, if not all countries have strong legal frameworks in place, especially around personal data. The big one is obviously the GDPR in the European Union and and the UK and Ireland. In Australia and New Zealand. We have the Privacy Act, which definitely covers similar territory and I know.

From memory that even middle Eastern countries like Saudi Arabia and the United Arab Emirates have very similar laws, the personal data protection laws. So what does this really mean? What does personal data and how does it differ from just data in general? Well, basically there are really strict rules around what you can do with personal data and specifically data that personally identifies someone.

So, for example, let’s say you sell a ticket, if you store alongside that ticket purchase, names, addresses, and phone numbers. Well, that is personally identifiable information. And so that could be used to identify people and build models around them unwittingly, and this is a no-no. However, when it comes to non-personal data in general, there are no country level restrictions around data residency or even data sovereignty, not as it applies to typical visitor attractions anyhow. One exception that I’m aware of is Saudi Arabia, which definitely has a strong emphasis on data localization.

So for sure, if you’re operating within Saudi Arabia, you’d be expected to have your data physically located in the country.

Angie: And I think this is a thing unfortunately for Saudi is like the way that these laws have been written. They’re forcing huge costs on the organizations and the Kingdom to meet with this.

And at the same time, the pragmatic realities of that are not there. AWS hasn’t finished building their data center yet in Saudi Arabia, and they won’t for several years yet, like. The Kingdom are putting down a very difficult law for some of these organizations to work with, and it forcing a huge amount of cost unnecessarily because of the way that the law’s been written. But this is how it is at the moment.

Ravi: That’s right. Of course, there is a lot of, a lot of money available in that part of the world.

Angie: This is also true.

Ravi: That is true. However, you know, in the rest of the Western world I think we have a pretty pragmatic, again, to use that word or overuse that word. I think we have a pretty pragmatic laws across the board.

Angie: Yeah. Speaking of pragmatism, so our approach at Dexibit has always been, you don’t need to know that it was Ravi and that his phone number is, I’m not gonna give this out live on air. But and the exact address of, of where he lives with his family, to deliver a great visitor experience decision set that is going to govern your organization.

You need to know that you had a visitor. You need to know whether they were a member. You need to know if they visited alone or with a group at what time and what they might’ve purchased. All of these sorts of analytical data points, but you don’t need to know the personally identifiable information to be able to make decent decisions that are delivering on insight to your team that are helping you with getting more visitors through the door getting them to engage and spend and be happy and come back and join as members. And so the aim is really to minimize the amount of data that you are collecting in the first place. To be responsible. And a lot of the laws call for minimization and then obviously consent and encryption and treating things well, as hot points. But then also to minimize your use of the information about Ravi and his family when they visit. And for the purposes of analytics, we can deal with everything but the personally identifiable information or the PII, if we’re in the US of that, that data set, whether it’s ticketing or membership or point of sale or email marketing or whatever.

So our approach at Dexibit has always been to strip out the PII. And we certainly have never dealt with PCI, so the credit card information, like you would in a point of sale system for payments.

So we are left with the business analytics and business information, and this is such an important point, I think because most regulations in most of these countries that we’re talking about are referring and prescribing things to the data sensitivity, rather than just a blanket geography rule for all data of all time.

And this is this point that, that Ravi’s getting at is that there’s a big difference between like, I got 15,000 visitors on this day and we sold this many adult tickets and this many people visited at 2 35. And we sold this many umbrellas ’cause it was raining. And here is this information about John and his CRM details that we keep in a separate system.

It also means that you can safely democratize this data and give access to this data, without worrying too much about it versus like some of the access to your CRM system where maybe you don’t want everybody to see like the high net worth list that you’ve got on your advancement team, or you don’t want everybody to be able to just export the phone numbers and email addresses and email ’em off to a friend.

So being able to have a really safe data set to be able to use for analytics purposes responsibly, that’s minimized, to be able to give access to people, I think’s a really important principle when you’re dealing with analytics as well.

Ravi: That’s absolutely right. By mitigating this risk, by simply not storing personal data, we comply by default.

And all of those second order benefits are huge. Being able to democratize that data and create that richer, richer experience for the consumers of that data. And so this is where when you start to put this down, put pen to paper and create that, that risk management plan, you realize that actually taking the approach that we’ve taken at Dexibit means that data sovereignty and data residency do not actually apply and matter for use cases that we are talking about.

Angie: Security sure as hell does. And we go to extreme lengths on that front. So we’ve got SOC 2 compliance and all the rest of it, encrypt all of the credentials that we get in from lots of systems. I know you and your team spend a huge amount of time worrying about security. 24 7, Ravi.

Ravi: That’s exactly right. We obviously encrypt all of our data at rest and during transit. What that means is that we’re predicted from security attacks like the, the man in the middle attack where somebody that can take control of your wifi network, for example, can sniff and see all of your data.

Or even if they say can break in and physically steal hard drives, all of that data is encrypted and secure and safe. And I think what’s, just going back to an earlier point that you made, Angie, we don’t, build any of these security or encryption systems from scratch, they’re actually really difficult to get right. And instead we largely use Amazon, our cloud provider primitives, which have been battle tested and approved and reviewed and audited. And so it’s an example of the flip side where utilizing the cloud gives us an advantage in benefits and risk management for the benefit of our customers

Angie: and actually safer.

Ravi: Exactly.

Angie: You know what’s funny? Of all of the customers that I’ve talked to, the ones that have given us, the hardest scrutiny around security. 9 times out of 10 are the ones that will accidentally send us the spreadsheet of members with their phone numbers via email that we have to very delicately go back and make sure that we’ve deleted every single copy. And also unfortunately, educate the customers’ stakeholder on what not to send via email. So, definitely the case that having this sort of secure set of data for everyone to work with and have access to is a really important part because sometimes, like you say, you can protect yourself from, was it sniffing? Did I hear the word sniffing? Yes. Sniffing on the wifi. This is a new term for me. And you can protect from, you know, the person who’s going to break in with the hammer and steal the hard drive. But sometimes it’s like the internal risks subconscious or unintentional. But, still a liability, all the same.

And so I think that gives us a beautiful wrap up, Ravi, thank you so much for the introduction to this topic.

I feel so much more confident about talking about the difference between data sovereignty and residency, the difference of where data is stored versus who has access to it in terms of the legal jurisdiction and that whole difference of location versus control. And, talking about the Cloud Act and balancing some of the realities and risks, but the pragmatic view of those. So thank you for taking us through that. Any last thoughts to leave us with?

Ravi: To sum up, I think data residency is actually a non-issue for most of our customers, and there are actually a lot of benefits to sticking to the cloud. Because there is so much more gains in terms of efficiency and performance.

True data sovereignty, on the other hand, is incredibly hard, and it’s unlikely that most organizations could actually weather a Black Swan event. At Dexibit, I believe we take a very pragmatic approach that really balances risk with operational efficiency to ensure that, every customer’s data is protected to a high level with security and encryption without compromising on service or experience, and ensuring that consumers end users can have access to that data in a really democratized way.

Angie: Because sovereignty or residency is not necessarily security is it? Security is so much more than the laws of who’s got access to your data and that’s what really counts at the end of the day. Like you say, service speed.

Innovation, price and cost and time and everything else. But security is really the thing that people are chasing here to make sure that they’re compliant with the laws, but they’re making good, sensible decisions. And so we just need to get pragmatic and interpret those laws correctly for our data realities.

Ravi: Absolutely.

Angie: Well, thanks very much. I’m gonna go and, drive past that billboard once more.

If your goal is to get more visitors through the door, engaging and spending more, leaving happy and loyally returning – check out Dexibit’s data analytics and AI software at dexibit.com. We work with visitor attractions, cultural and commercial, integrating with over a hundred industry source systems across visitor experience and venue operations, providing dashboards, reports, insights, forecasts, data management and a unique data concierge.

Until next time, this is Dexibit!