SaaS Adoption and the Data Residency Dilemma

2020 has brought on many changes and transformations to the way we live our lives, and data privacy continues to be one of the most transformed and debated topics, directly impacting lives and businesses around the world. The year started with more regulatory enforcement and the birth of more global data regulations worldwide, followed by digital rights being a core part of trade negotiations. Last but not least, we have even seen data localization being an American ask in deal-making.

Central clouds and hyperscalers have profoundly changed the way enterprises consume technology and services. They changed the way applications are built, run, and scaled. They have allowed for new business models and opportunities that would have never been possible. In fact, InCountry knows this more than anyone else as our cloud-agnostic platform relies on them to now be available in more than 90 countries.

Central clouds on their own are not bulletproof and cannot ease all pain points. Global companies now face more challenges when it comes to sensitive and regulated data as they have to ensure they comply with data regulations in every country they operate in. These challenges and trends impact customers’ decisions regarding moving to the cloud and adopting new SaaS solutions.

Previously, the Privacy Shield framework enabled transatlantic businesses to transfer personal data while ensuring compliance with data protection regulations. On July 16, the Court of Justice of the European Union (the “CJEU) invalidated Privacy Shield Framework as part of its judgment in the Schrems II case. While this was expected, it was a big deal. It means personal data of an EU data person cannot be transferred from the European Union to the United States without a proper mechanism. This applies to companies looking to adopt cloud providers and SaaS solutions that store data, or a copy of the data (high availability replication, backups, etc.) outside the EU.

The timing of this news could not have come at a worse time. Since the pandemic has hit, we all have been increasingly relying on SaaS applications. From collaboration and messaging apps, all the way to supply chain, sales, and marketing applications, the pandemic has accelerated SaaS adoptions in ways no one has predicted before. This news means all centralized cloud applications will be looked at and scrutinized more than ever.

We see more and more governments becoming more protective of their citizens’ data and to centralized clouds storing data on servers outside of their jurisdiction. To comply with these new regulations, companies are turning to more local resources to store data. On-premises might sound like the easy solution here, but after tasting all the cloud goodness, how can companies go back to running their own data centers?

Especially as most global applications do not have the proper bandwidth to run and maintain the infrastructure, nor the local regulatory expertise to comply and keep up with these regulations properly. Industries like finance, healthcare, and utilities are heavily regulated and subject to strict compliance policies. As countries increase their data regulations, staying compliant becomes harder.

And while central clouds are always adding more regions, localizing workloads efficiently while staying compliant in different countries needs rearchitecting applications and local knowledge. More importantly, most SaaS companies serve their applications from a limited number of countries and cannot utilize new regions quickly. These applications are architected utilizing unique underlying services that cannot be leveraged on another central cloud, making SaaS localization even a more difficult task for companies to embark on by themselves.

With InCountry’s managed compliance platform, customers do not have to run on-premises to stay compliant. InCountry’s availability in more than 90 countries allows customers to set the solution once and repeat it in all countries. Companies can localize only the data that matters: the regulated data, to be stored and served from within that country. SaaS applications are localized, allowing specific customers and employees to be served from inside their countries. This makes for a much more efficient model instead of replicating the complete data stack.

Data residency has always been thought of as an unsexy, complicated idea. It is a challenge usually tossed between compliance and IT teams and is one of the few they both agree is hard to solve! However, 2020 has proven that the implications are profound. Privacy Shield, the EARN IT Act and Lawful Access to Encrypted Data (LAED) are just a few of the implications making this an issue that needs solving. Our most interesting observation so far is seeing forward-thinking global companies choose to act now and make data residency a requirement in their digital transformation.

The localization of data privacy is not a new concept. It is one the cloud has made reliable enough for sensitive data. InCountry’s approach allows customers to utilize all the cloud advantages while still complying with regulations worldwide. The pendulum is now swinging towards a localized and secure internet, and The Privacy Shield invalidation is the latest sign of that. It is a clash of technology, governments, and ideologies. The ideological difference here is the same one that triggered GDPR years ago; the EU is less comfortable with centralized control. These clashes will continue to happen between different governments and cultures, and global companies must be prepared for them.