June 07, 2023

What every CISO needs to know about data residency

What every CISO needs to know about data residency

Global companies expect CISOs have expertise in data residency programs, an in-depth understanding of security trends specific to the relevant industry, and familiarity with current business challenges and solutions. 

CISOs are at the forefront, even in the event of data breaches, guiding other staff members on efficient and proactive crisis management tactics.

This article is intended to help CISOs stay informed about current data residency laws, risks, and difficulties, as well as how to get around them and attain optimal data sovereignty compliance.

Overview of global data residency issues

Data residency is a growing concern for multinational corporations due to the increased digitization brought on by the rapid uptake of technologies like cloud computing and data analytics.

Data residency is the localization of regulated data, such as personal data, within a particular region or country. It typically calls for businesses to process data locally, store a copy of the data locally, and obtain individual or governmental consent for data transfers.

Companies face the real challenge of conducting operations to meet various privacy standards in different regions since the laws governing how data is collected, processed, and shared constantly change across nations. As a result, compliance has become more complicated, necessitating frequent internal reviews by businesses.

The modern global economy is regarded, quite rightly, as being powered by data. But despite the fact that digitization and the ability to share data easily across borders result in significant benefits for businesses, consumers, and national economies, several countries have put up barriers to cross-border data flows in order to manage the attendant risks.

Let’s closely examine some of the key international laws governing data protection.

Data residency laws around the world


Europe has a unified data protection law called the GDPR (General Data Protection Regulation). This law, which is part of the EU’s privacy and human rights laws, governs the processing of personal data within the EU.

While the EU does not explicitly mandate data localization, it does have restrictive policies that make data transfer nearly impossible. These rules must be followed when transferring data outside of the EU, whether it is done by moving it physically to a facility outside the EU or allowing someone outside the EU to access it electronically. 

Along with the GDPR data residency rules, numerous other European nations have passed national laws. For instance, the Bundesdatenschutzgesetz (or “BDSG”) in Germany protects personal information for both private and federal organizations. Also, there is the Telekommunikation-Telemedien-Datenschutzgesetz, or “TTDSG,” for those who process personal data digitally.

Refer to our article on the scope of data protection in Germany


Three laws—the Data Security, Cybersecurity, and Personal Information Protection Law—govern data residency in China. These rules are thorough and detailed and apply to all data controllers operating in China.

The Cybersecurity Law was the first significant data protection law to be passed in China. It formalizes the defense of Chinese cyberspace, advancing the nation’s technological advancement and digital economy. It grants data subjects a number of rights, including the ability to opt-in to the collection and use of their personal information. Prior to the adoption of the Personal Information Protection Law (PIPL), which will be covered shortly, this legislation served to safeguard personal information in addition to its cybersecurity provisions.

The main piece of legislation in China governing data security is the Data Security Law. It gives data-controlling industries a framework to work within when classifying and categorizing data, performing risk analyses and security reviews, etc.

The Personal Information Protection Law, which focuses on safeguarding the personal information of individuals with legal residence in China, is the most notable of all. It also has an extraterritorial reach because it impacts non-Chinese organizations in the context of their business dealings with Chinese citizens. It ensures that information about Chinese citizens remains in China. It establishes stringent guidelines for international transfers and codifies the rights of data subjects to know and control how their personal information is used.

See our detailed guide for information on China’s data residency laws.


Canada has a federal law known as the Personal Information Protection and Electronic Documents Act (PIPEDA). It regulates how personal information about Canadian individuals is gathered, used, and shared. Its guiding principles are accuracy, integrity, secrecy, transparency, purpose limitation, and purpose minimization. 

The PIPEDA, like the GDPR, acknowledges that individuals have unalienable rights to their personal information, including the rights to information, consent, access, and rectification.

As a result, regarding protection criteria, PIPEDA is now seen as equivalent to the GDPR.

Look here for the full scope of data residency in Canada.


The Federal Law No. 45 of 2021 on the Protection of Personal Data in the United Arab Emirates is a ground-breaking piece of legislation that ensures the privacy and security of all personal data collected in the nation. It gives UAE citizens and residents a legally protected right to online privacy while bringing the country into compliance with international standards for data protection. It covers many areas, including data collection and usage, data security, data retention, subject access requests, data transfers, data privacy impact assessments, children’s data, and consent management.

The Dubai International Financial Centre (DIFC) Data Protection Law, DIFC Law No. 5 of 2020, is another law that safeguards the data of people and organizations in the DIFC. It establishes precise obligations and liabilities with regard to the gathering, utilizing, and disclosing of data by entities working within the DIFC. It also sheds light on fundamental data privacy and protection principles like openness, responsibility, and security of any data gathered in the DIFC, whether manually or electronically.

The Abu Dhabi Global Market (ADGM) Data Protection Regulations No. 2 of 2018 apply specifically to personal data processing within the ADGM. It adopts principles that are comparable to those established in the Data Protection Law and the DIFC Law, with additional specific provisions that provide more guidance on how to comply with them.

There are laws that apply to particular industries, such as Federal Law No. 2 of 2019 on Data Regulation in the Health Fields, which governs health-related data and codifies residents’ rights to decide how their health data is gathered, used, stored, and shared with others. Additionally, it offers a legal path for complaints resulting from improper handling of personal data.

Check out our article on data residency laws in the UAE and how to comply with them.

Kingdom of Saudi Arabia

The recently passed Personal Data Protection Law largely controls Saudi Arabia’s data protection environment. It sets rules for procedures involving the gathering and processing of personal data. It is based on general data processing principles and covers in great detail the rights of data subjects, processors’ obligations, cross-border transfer protocols, and penalties for noncompliance. 

The PDPL clearly states that the owner’s consent must be obtained before data can be collected and processed. Additionally, it gives owners the ability to maintain control over their data and may revoke consent at any time. 

All organizations must make their privacy policies available for customers to review before providing their personal information.

All data holding must be registered onto an electronic portal, and this registration is renewed upon payment of an annual fee.

Foreign companies processing the data of Saudi citizens must have a representative in the Kingdom who is responsible for communicating with the regulatory body about their data sovereignty compliance measures.

In addition to the PDPL, other laws exist to guarantee data sovereignty compliance in particular industries. The Anti-Cybercrime Law of 2007, regulated by the National Cybersecurity Authority, and the E-Commerce Law of 2019, which is overseen by the Communications and Information Technology Commission, are two notable examples.


The General Data Protection Regulation (GDPR) is applicable to Turkey because it is an EU member. 

However, there is also a national law on the protection of personal data (DPL) in place, established in 2016 and regulated by Turkey’s data protection authority, the KVKK. The DPL prohibits the collection of personal data without the subject’s express consent, except in some stated cases. It also lays out guidelines for the transnational transfer of data.

The DPL’s requirements have spawned a number of additional laws that oversee the operations of data controllers and processors and impose penalties for noncompliance. The KVKK also regularly publishes rules and directives that assist businesses in applying the DPL’s provisions to their particular industry.

Before the Data Protection Law was passed, the Turkish Constitution governed the protection of personal data. It still does so concurrently with the new law. Citizens have the power under Art. 20 to request that organizations that collect personal data, whether they be private or public, protect that data. Thus, private individuals can enforce the protection of their data through legal action.

A few measures for data privacy are also included in Criminal Code Law No. 5327. They impose criminal liability on natural or corporate persons who engage in the illegal collection, delivery, and destruction of data.

Check out the full list of Turkey’s data residency laws here.


Indonesia has its Personal Data Protection Law as its primary reference for protecting personal information. The law covers data owners’ rights, processing principles, the duties of controllers and processors, and the proper methods for collecting, storing, processing, and transferring personal data. However, its rules only apply to processing done for commercial purposes, and not personal or domestic data processing.

However, there are other pertinent industry-specific laws such as the Ministry of Health Regulations of 2022 that protect the privacy of personal medical information, the Bank of Indonesia Regulation of 2020, which requires banks and other entities under the Bank of Indonesia to protect customer information, and the Financial Services Authority Regulation of 2022, which is applicable to all financial service institutions and ensures the security and confidentiality of customer information.

Read our complete guide on data residency in Indonesia.

Data localization by InCountry helps global businesses comply with residency regulations by keeping data safe within the country of their operations.

Best practices for data residency issues

  1. Understand the laws and regulations:

It is necessary for CISOs to keep up with developments in laws across regions. They must also make it a practice to educate staff members about data security constantly. Similarly, when outsourcing processing, the organization must only choose service providers who are in step with global data residency requirements.

  1. Conduct a data audit:

Some regional laws expressly recommend the appointment of a data protection officer (DOO), the equivalent of a CISO in this context, to ensure that routine audits are carried out regularly.

For instance, the PDPL demands that businesses conduct impact analyses regularly to guarantee that all compliance procedures are in place. They must also ensure that the service providers they work with undergo these routine audits.

  1. Find a technology solution that meets your needs:

Legal requirements regarding data residency can be quite difficult to comply with. Doing so manually is very expensive, consuming a lot of resources—both human and financial—that could have been used for corporate growth and expansion.

More and more companies are seeking intelligent and efficient technological solutions, like data residency as a service, to simplify the process of staying compliant with all data residency requirements by country.

Empowering your data journey with InCountry

Your company should not have to fight to keep up with changing data residency laws from several jurisdictions. You need a trailblazing approach that permanently eliminates compliance-related worries.

That solution is InCountry. Industry leaders across the globe agree that InCountry is the best compliance tool for your data journey.

InCountry completely removes the tedious processes of repeatedly reviewing various residency laws, providing ready-made compliance without interfering with daily business operations.

At InCountry, we stay abreast of technological and legal best practices to guarantee data protection across different political regions worldwide.

Companies can now concentrate on international operations and expansion without worrying about infringing on data regulations. We offer timely, effective services that are available anywhere.

Try our demo to learn more about how our compliance solutions meet your business needs.