Data Residency: Are You in Compliance?


Join our newsletter!

Receive the latest data collection news in your inbox.

For all organizations that rely on cloud services to store data globally, compliance with privacy regulations should be top of mind. Once data is no longer housed in local servers, it is subject to the privacy regulations of the country, region, or state in which the data center is located. If your organization’s data spans international borders, you must be clear on where your data resides to remain compliant with local privacy laws.

These regulations vary from country to country and even between U.S. states. And are often complicated and difficult to understand or follow. The question of data residency, and in turn data sovereignty, only adds to the challenge of staying compliant in this complex regulatory environment.

To maintain compliance with data privacy laws, it’s important to understand how data residency impacts your organization.

What Is Data Residency?

Data residency refers to the location where data is physically stored. This may be in the actual location of an organization or in a separate country or region, often for tax or regulatory purposes. Unfortunately, in today’s highly regulated world, simply knowing the location of your data isn’t enough. 

Many countries and regions enforce compliance with data privacy regulations for any data that an organization stores within or transfers between their borders. If your organization provides services over the internet, security and compliance quickly become a challenge. The more data stored across data centers and geographies, the greater the challenges posed by local data privacy regulations.

An often overlooked consideration is identifying where your collected data is processed, even if you can identify the geographic locality of your primary data centers. Do you have off-site backups or service providers which process data? Or automated failover/redundancy built into your system architecture that could lead to data being stored in a new region? These are important factors to account for when considering data residency.

Data Residency Vs. Data Sovereignty

This is where data sovereignty comes into play. Data sovereignty means that any data stored within a certain country must also be subject to the country’s privacy laws and governance requirements. For organizations that operate within the cloud, it may seem that cloud service providers will do all the work to secure data across borders. But this shouldn’t be assumed.

Any data security incidents involving an organization’s data will ultimately be the responsibility of that organization. Security leaders should be clear on where data is located and establish security and compliance policies regarding how their organization collects, stores, processes, and transfers data. Especially if this is happening outside of the organization’s geographical location.

Achieving Data Residency Compliance

Complying with data residency requirements ensures that your data is secure and your organization minimizes threat risk. Here are four considerations for how your organization can maintain compliance across borders:

  1. Identify the type of data your organization collects. Healthcare and financial data have greater protections under certain privacy laws. These protections vary depending on regulations such as GDPR or a country’s specific data residency requirements.
  2. Know where your data originates. Depending on what location data comes from, the data may be subject to stricter data residency requirements that extend beyond borders. For example, if data originates from the state of California, the CCPA regulation potentially applies to that data, even if your organization isn’t based there.
  3. Know where your data is stored. The crux of data residency is controlling where your data is stored. That includes backups, failover and redundant systems, and records that may be processed for other purposes that may result in storage – temporary or otherwise – outside of a compliance-defined location.
  4. Understand which regulations apply to your organization. Know which data privacy laws affect the data you collect as well as the purpose of these regulations. Be sure that any third-party vendors also maintain the same level of compliance and security.
  5. Determine access management and control. Once data type is identified, establish administrative controls to monitor who has access to protected data. This can also include geographic controls that relate to who can access or transfer data. 

Learn More with the Experts

Interested in gaining a clearer understanding of data residency requirements and how your organization can meet them? Learn more in our webinar on May 17th at 1 p.m. hosted by FormAssembly CTO Jeff Keating and AWS Chief Technologist for Education at Amazon Web Services Leo Zhadanovsky as they discuss the realities of data storage with cloud infrastructure, global compliance standards on data residency, and how your organization can control where your data resides.

Don’t just collect data
— leverage it