Foreword – global data protection situation
Both large and small companies are recently challenged by new data residency regulations that emerged due to the growth of digitalization and an increasingly global business environment.
Data localization laws can require sensitive data to be processed and stored in the country of origin.
Therefore, following legal requirements of storing data in a specific country is a core requirement for meeting data protection standards.
What is data residency
Data residency defines in which country an organisation’s data is stored or processed.
Most often businesses have to operate under local regulations, which require different data types, including data about nations’ citizens or residents, to be stored or processed inside the country of origin. Usually this happens due to regulatory, tax, or policy reasons.
Data residency becomes even more complicated due to evolving guidelines from both government and regulatory bodies, forcing companies to continuously review their internal policies for where data can be stored to comply with data residency requirements.
Data residency vs data sovereignty
Whereas data residency only concerns the presence of sensitive data inside the country of origin, data sovereignty takes things a step further. Data sovereignty covers data inside a nation’s borders, taking into account that any data inside that country is subject to any and all data laws applicable in that country.
The two terms are not the same, as data residency is more general in that it only covers the location of data. Where an international company chooses to store and process sensitive data of customers and employees is a data residency matter, but the compliance aspect of following data regulations within any country where a company does business is data sovereignty, as it specifically concerns laws and regulations.
The two terms are therefore often treated as two sides of the same coin, with data residency being more popular in business lexicon due to the inference of data compliance in the places where data is stored. This also brings another term, data localization, into the fold.
Data sovereignty vs data localization
How does data localization relate to the other terms?
Actually, they are three definitions for this single concept: how data privacy impacts cross-border data flows.
Similar to data sovereignty, data residency also refers to the legal or regulatory requirements imposed on data based on the country or region in which it resides.
Organizations that handle international data must ensure that data privacy is not put at risk when shared across borders. Likewise, understanding the legal requirements of storing data in a certain country is fundamental to meeting data privacy and security standards. With that, here are deeper explanations into these two terms.
What is data sovereignty?
As noted above, data sovereignty differs from data residency in that not only is the data stored in a designated location, but is also subject to the laws of the country in which it is physically stored. This difference is crucial, as data subjects (any person whose personal data is being collected, held or processed) will have different privacy and security protections according to where the data centers housing their data physically sit.
This difference is also crucial for businesses, as a government’s rights of access to data found within its borders differ widely from country to country. This is where data sovereignty and residency are often conflated. Ensuring data sits within a geographical location for whatever reason – whether avoiding or taking advantage of laws, regulations and tax regimes, or even for pure preference and comfort – is a matter of data residency. But the principle that the data is subject to the legal protections and punishments of that country is a matter of data sovereignty.
They are clearly related, and even two sides of the same coin, but one is a matter of national legal rights and obligations, while the other is a matter of geography. Recognising this distinction will help professionals better prepare for compliant data management and exchange.
What is data localization?
This is the most stringent and restrictive concept of the three, and like data sovereignty, is a version of data residency predicated on legal obligations. It is also the concept that is growing the fastest internationally.
Data localization requires that data created within certain borders stay within them. In contrast to the two terms above, it is almost always applied to the creation and storage of personal data, with exceptions including some countries’ regulations over tax, accounting and gambling.
In many cases, data localization laws simply require that a copy of such data be held within the country’s borders, usually to guarantee that the relevant government can audit data on its own citizens (provided there is due cause) without having to contend with another government’s privacy laws. India’s draft Personal Data Protection Bill is an example of exactly this.
However, there are countries where the law is so strict as to prevent it crossing the border at all. For instance, Russia’s On Personal Data Law (OPD-Law) requires the storage, update and retrieval of data on its citizens to be limited to data center resources within the Russian Federation.
Typical criticism of these laws is that they use the mask of enhanced cybersecurity or citizens’ privacy concerns to conceal the real motivation of national protectionism. This border-based siloing of data, it is claimed, obstructs businesses and governments from realising the full potential that data stands to offer and contributes to digital factionism and the “splinternet”.
But regardless of the debates surrounding the practices, we find that execs often need to better understand the importance of the differences between these three terms. As data privacy professionals, we may be sticklers for using the right vocabulary in the correct circumstances, but the frequency and manner in which these words are used interchangeably amongst the businesses we engage with, and even other industry commentators, indicates a dangerously widespread misunderstanding.
How to estimate your infrastructure compliance requirements
Addressing any level of confusion in your own business will allow you to identify the precise obligations that apply to you and interrogate your cloud service providers’ capabilities more rigorously.
As a starting point, try applying the above distinctions to these key questions about your own infrastructure:
- Where are each of your various categories of data (personal data, financial records, etc) created or processed and what obligations might this bring?
- Where is it then stored, and who owns the data center? Your data may be in a data center in the UK, but if this data center is owned by a US-headquartered company, then the US Government may have the rights to access your data under the CLOUD Act.
- What are your procedures for back-up? Where is your data backed up to? According to the type of data in question, what local stipulations exist for the security or encryption of that data?
- How confident are you in your cloud partner(s) understanding of current and future data privacy regulations? How have they evidenced that their data centers meet all your local and global privacy needs, or have you assumed it?
So how do multinational companies handle data residency challenges? That’s exactly where InCountry comes in. Our data residency-as-a-service solution enables companies to securely store and process regulated data within the country of origin.
InCountry: Data residency for SaaS
InCountry is empowering global companies with more control over where their data is stored and helps them comply with local data residency regulations by making sure necessary data stays within the country of origin. Data regulations challenges continue to be one of the hurdles preventing companies from adopting best of breed SaaS solutions and InCountry removes this obstacle, making customers’ journey to the cloud and taking advantage of SaaS solutions an easier one.
Currently InCountry provides data residency-as-a-service in over 90+ countries – and this number is constantly growing. We are enabling multinational companies to securely and compliantly store regulated data.
For brands looking to connect with customers in countries and regions with strict data residency requirements—like Australia, UK and EU—brands will need to adapt their processes to capture all relevant customer data locally and be able to act on it in real time.
Data residency-as-a-service – how it works
- InCountry securely stores data records in two top tier data centers for each country
- Our SDK directs data to and from our in-country data stores and enables your application to communicate securely
- The InCountry SDK uses two different types of world class encryption to store your data
- Our SDK retrieves records using the hashed keys, it uses encryption, not tokenization
- InCountry Border keeps data within a country’s borders with no coding changes
- InCountry MSP offers dedicated and isolated databases
What’s more, we follow the highest standards in the industry. That’s why InCountry is constantly improving its solutions by staying ahead of the latest trends and adapting to the latest compliance standards.
Stay updated on global data residency regulations with our always-current country maps.