Sovereignty, data privacy, and sensitive data

Turning data governance challenges into opportunities

In a context where data has become central to value creation for many organizations, ensuring control over data has become a critical priority.

This article explores the challenges, benefits, and complexities associated with three major dimensions of data governance : sovereignty, data privacy, and the protection of sensitive data.

The growing importance of these three topics is being driven by several major macro trends. Among them is the explosion in the volume of data, increasing from 2 to 180 zettabytes between 2010 and 2025 according to Statista, largely fueled by digitalization, the democratization of IoT technologies and social networks, and more recently the rise of generative AI.

Additional contributing factors include the growing wave of regulations across multiple regions of the world, increasing customer and citizen expectations regarding personalization, including hyper-personalization, and interconnectivity, as well as the return of geopolitical tensions and war on the European continent.

Three major pillars of data governance

Sovereignty

More than 50% of large European companies transfer their data to American platforms.

Objective : Maintain control over data, algorithms, and tools without becoming dependent on external actors such as foreign states, software vendors, or pre-trained generative AI platforms.

Data privacy

In 2022, fines related to privacy violations in the European Union reached €2.92 billion.

These fines reflect several converging trends : growing citizen expectations around ethical issues such as CSR and privacy, increasingly robust legislation responding to these concerns, and stricter regulatory enforcement following an initial phase focused on awareness and education.

Objective : Manage personal data, including customer, employee, and third-party data, in an ethical and sustainable manner.

Sensitive data

In 2024, 33 million French medical records, including social security numbers, were leaked through the Viamedis and Almerys cyberattacks.

Objective : Secure sensitive data, meaning any data whose uncontrolled disclosure could have significant negative consequences, while reducing dependency on sensitive data whenever possible.

Focus on sensitive data

The management of sensitive data, historically a major concern within the defense industry where strict rules and governance frameworks are systematically established upfront, is becoming increasingly important across other sectors as well, including pharmaceuticals.

At the same time, the growing tendency to systematically share data across multiple departments and data domains is making the protection of sensitive information increasingly complex.

When it comes to sensitive and highly sensitive personal data, particularly in the healthcare sector, maintaining end-to-end control over the legal frameworks governing the collection and processing of this data is essential.

This includes core data privacy considerations such as consent, legitimate interest, and public interest.

To avoid excessive process complexity, especially from a legal perspective, several mechanisms provide significant value by partially or fully dissociating data from the individuals associated with it :

  • Personal data anonymization : highly effective when only aggregated or statistical insights are required, such as the number of customers or patients matching specific characteristics.
  • Data destructuring : removing the link between information that was initially correlated. Examples include separating a luxury customer’s name and address from their purchase amount, or isolating technical plans for individual components instead of centralizing all plans related to a defense system. The value and sensitivity of data often emerge from the intelligence created through the association of multiple data points.
  • Synthetic data generation : creating statistically usable data sets that have no direct connection to real individuals or systems.
  • Data minimization : reducing the quantity of collected and stored data in order to limit the overall volume of sensitive information requiring protection.

At the same time, securing sensitive data increasingly relies on new approaches and security models.

Data-centric security

Adopting a data-centric security strategy means placing data protection at the core of all cybersecurity initiatives. This approach recognizes that not all data carries the same level of value or sensitivity, and that protection mechanisms must be proportional to the criticality of the information.

Implementation :

  • Data classification : identifying and categorizing data according to its sensitivity and importance to the organization. This enables security resources to be prioritized around the most critical assets.
  • Data encryption : using encryption techniques to secure sensitive data both in transit and at rest, ensuring that only authorized parties can access it.
  • Role-Based Access Control (RBAC) : defining strict access policies based on users’ roles and responsibilities, limiting access to sensitive data only to individuals who genuinely require it for their work.

Zero-trust model

The zero-trust model is based on the principle of never trusting anything, whether inside or outside the network, without prior verification.

Every attempt to access company resources must be authenticated and authorized.

Implementation :

  • Multi-factor authentication (MFA) : Enforcing the use of multiple authentication factors to access systems and data, thereby reducing the risk of unauthorized access.
  • Micro-segmentation : Dividing networks into smaller and secured segments in order to limit lateral movement by attackers in the event that part of the network is compromised.
  • Continuous monitoring : Implementing monitoring and logging systems capable of detecting abnormal behaviors and intrusion attempts in real time, enabling rapid responses to security incidents.

Post-quantum cryptography

Quantum computers promise computing power far beyond that of traditional computers, but they also represent a major threat to current cryptographic systems.

Organizations must prepare for this transition by adopting cryptographic techniques resistant to quantum attacks. These attacks may occur in two stages : data can first be stolen and stored in encrypted form, before being decrypted later once quantum computing capabilities become available.

Implementation :

  • Research and development : Investing in the development of new post-quantum cryptographic methods capable of resisting quantum computing capabilities.
  • Security audits : Conducting regular audits of existing cryptographic systems to identify vulnerabilities related to future quantum threats.
  • Progressive migration : Planning and executing a gradual transition toward post-quantum cryptographic algorithms, ensuring that systems and data remain secure as technology evolves.

To learn more about these topics and identify the impacts and opportunities relevant to your organization, contact our partners and experts :

Morand Studer (Managing Partner, responsable des sujets Data)

Pietro Turati (Partner, responsable des sujets Cybersécurité)

Paul Schreiner (Manager, expert Cybersécurité)

Guillaume Coppola (Manager, expert Data Privacy)

Contact us
Contact us
From insight to action,From today to what’s next, Build the future with us
Contact

Other insights

All insights
All insights

Innovation in the age of AI : Towards new foundations of innovation

More

[Exclusive] InfraVia Capital Partners : "Transforming the status quo through AI"

More

Yield management

More
All insights
All insights
All rights reserved | Eleven © 2026
Réalisé par Afalence
Who we are
About usEleven StrategyEleven ScaleEleven RaiseEleven Research Lab
Insights
Reports
Business cases
Articles
Eleven
EcosystemContactCareerscookies