September 21, 2022

Data Residency Checklist for SaaS Companies

Data Residency Checklist for SaaS Companies

Data has become versatile and more accessible than ever, with the liberty to move across borders. Several SaaS-based companies that utilize cloud storage are springing up daily with unique services and are leveraging the accessibility of data to make their services available to users and consumers worldwide. This proliferation of data has affected the global economy positively, as countries have leveraged this to boost their economies and global output. 

However, this has brought increased concerns to nations who, in a bid to gain control over the movement of data in and out of their jurisdictions and protect the data privacy rights of their citizens, have erected high walls in the form of government policies and regulations. Due to these constraints, SaaS companies need to stay in conformity with these restrictions to continue operating lawfully. 

In this article, we will explain what data residency laws every SaaS company should be aware of in case they want to expand their business internationally.

Understanding data residency requirements by country

The data residency issue for SaaS companies has become more complex with the new and evolving global data regulations that vary from country to country. The use of cloud storage has extended the scope of internet technology and services beyond what was formerly possible.

Unchecked could result in national security breaches and users’ privacy rights violations. This is why countries have implemented SaaS data-compliance rules to ensure that data must be operated and managed following existing national laws. Check out the following data residency laws by country that your SaaS company should look out for.

China

The major body of law related to the protection and security of data is contained in the Personal Information Protection Law (PIPL) 2021. A few other laws exist, such as the Draft Data Security Law and the Cybersecurity Law, of which Article 37 provides that personal information and important data generated from critical information be stored within the country.  Only two weeks ago, clarifications to the existing body of regulations were released, one of which outlines a very lengthy process requiring a CAC (Cyberspace Administration of China) security assessment, certification, and Standard Contract Clauses to be enacted before any Chinese user PII or important data crossing borders.

The existence of multiple laws on the subject has made the process of achieving regulatory compliance for SaaS applications quite cumbersome for global companies operating in China.

Turkey

Although yet to acquire the force of law, the Information and Communication Technologies Authority (ICTA) has released a Draft Regulation Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector.

Article 5 of the Draft Regulation prohibits cross-border traffic and location data transfer to maintain national security. Social network providers have equally been mandated to retain the data of Turkish users within the country. These companies must also report their compliance efforts to the ICTA biannually.

South Korea

South Korea has a strictly regulated framework for data residency. The Personal Information Protection Act 2011 (as amended in 2020) regulates the collection, usage, disclosure, and other processing of personal information by governmental or private entities. 

The data protection laws in South Korea provide delineated data residency for SaaS requirements and create enforcement agencies to ensure completion. South Korea is also a participant in the Asia-Pacific Economic Cooperation Cross Border Privacy Rules (‘APEC CBPR’) agreement, among others.

Japan

The data privacy law in Japan is the Act for the Protection of Personal Information (APPI), established in 2005. The 2015 amendment of the Act made it compulsory for businesses to obtain consent from citizens if their data was transferred offshore.

The United States of America lacks a data privacy law at the federal level. This means there are no data residency laws for SaaS companies. However, a US-based firm must comply with other countries’ applicable data residency for SaaS requirements if they seek to carry out business activities there. 

Understanding data residency requirements by industry

Most countries have in place different data residency laws to ensure SaaS data compliance among players in various industries within their territory. While some of these residency laws are strict, as in the case of South Korea and Canada, others are quite lenient, like the US residency laws. 

However, these privacy rules all share one focal point: the storage of data locally in the originating country. Below, we will look at some privacy requirements in different industries.

Telecom service providers and Internet service providers

Companies in the telecommunication industries are mandated to process and store data in the originating countries. For instance, India’s telecommunication and internet service industries are regulated by the  Unified License Agreement(Ula) and the IT Act of 2000.

The Ula provisions in Clause 39.20 compel telecommunication service providers and internet service providers to protect all sensitive data of subscribers from unauthorized access. The Act also provides that sensitive information collected from subscribers be archived in the country for 12 months. This is to allow for proper vetting by the Department of Telecommunications. Furthermore, Clause 39.23(viii) prevents TSPs and ISPs from transferring subscribers’ data outside of India. However, this restriction on data transfer can be avoided in international roaming and billing cases.

Additional circumstances of when sensitive data of TSPs and ISPs subscribers can be transferred outside of India were provided for in the IT Act of 2000 and IT Rules of 2011.

Healthcare and medical sector

To ensure the smooth running of a healthcare company, it is crucial to secure Personally Identifiable Information (PII) and Personal Health Information (PHI) of patients. According to the provision of GDPR, health companies operating with the EU are mandated to keep patients’ data within the EU. 

If the data is to be transferred outside of the EU, then it can only be transferred to countries or organizations that have signed up for equivalent privacy protection. In the US, HIPAA provides that any health organization dealing with Protected Health Information must comply with the set privacy rules of the HIPAA act. However, the U.S. federal government launched the MyHealthEData program in 2018 to encourage patients to control their PHI and to freely transfer data among doctors. 

Finance sector

In Australia, the Consumer Data Right gained the force of law in July 2020 and mandated that all financial data must be stored within the country. In China, the data residency laws are quite strict and mandate all banking services to have their data centers in china. Also, Chinese personal financial information can only be analyzed, stored, and processed locally.

Prepare your product for safe data transfer

Successfully operating a SaaS business entails structuring your business to meet Saas compliance requirements of the locations your business operates in. To successfully pull this off, it is pertinent that your company stores any personal data entered in a SaaS application on storage that is physically located in the country (or an approved territory) to comply with data residency for SaaS companies. 

For instance, countries in the European Union rely on the  GDPR for data compliance. This regulation governs the processing of personal data within the EU and is a key component of the EU’s privacy legislation. While the EU presently has no particular data localization standards, the recent repudiation of the Privacy Shield could indicate that such criteria are now required.  As a result,  many firms have initiated necessary steps to guarantee that their data policies ensure that users’ data is localized before it leaves their country of origin.

The best way to achieve SaaS regulatory compliance for your business is to use cloud providers offering residency support or partnering with a residency as a service provider.

How InCountry helps to comply with all data regulations

Data localization and residency laws imply that global companies must store all personal data entered in a SaaS application physically in the country (or an approved territory). They also mean that global companies must go through a cumbersome SaaS compliance checklist that includes tedious research processes, web-hosting, engineering, operations, and maintenance. This results in additional cost, time, and workload that might cripple your business operations. 

InCountry allows software-based businesses to meet SaaS data compliance rules. It helps global companies keep up with ever-shifting data requirements in many countries worldwide. The result is more ease, less time, and less money spent on software and infrastructure. These companies get to invest their resources instead in perfecting their product models and refining customer experiences.

Scaling globally does not have to be tedious. Through the data residency as a service, we help SaaS companies simplify the process of entering new markets, significantly reducing compliance costs and completely avoiding litigation costs for non-compliance.

Feel free to contact us to learn more about how we can help you overcome your data residency compliance issues.