If your organization collects personal data, then you’re probably aware of the regulations you must follow to ensure the privacy and security of this information. Often, these regulations include guidelines on data residency, or where this data is physically stored.
Most organizations today use cloud-based tools and data centers to process and store data. But this can make it challenging to keep track of data’s physical location and what data laws apply. Organizations operate on a global scale, so it’s critical that users understand where data resides in order to comply with local data privacy laws and data residency regulations.
Understanding Data Residency
Data residency refers to the physical or geographic location where an organization chooses to store or process regulated data. A core element of data privacy laws, it establishes how organizations control and secure personal data that is stored across multiple countries, regions, or states. An organization may store data in specific locations for various reasons, including:
- To provide greater transparency to customers as to where their data is stored.
- To maintain compliance with regulatory requirements of the country.
- To take advantage of another country’s more beneficial tax regime.
Today, more than 130 countries have data privacy legislation established. These countries tackle the challenge of data protection differently, all of which can impact data residency.
Data Residency Vs. Data Sovereignty Vs. Data Localization
Data residency, sovereignty, and localization are sometimes used interchangeably. While these terms are interrelated, they are not the same. It’s important to distinguish between each of these terms to know how they impact data.
Data residency, as stated above, is the location where data is stored or processed, generally for policy, tax, or regulatory reasons. Both the U.S. and Canada, while not having broad data residency requirements at the Federal level, have laws related to data restriction and access, particularly by government and public sector organizations for security purposes.
Data sovereignty means that data is subject to the local data privacy laws of the country where it is stored, even if it is outside of that organization’s host country. Organizations must follow all legal requirements established by the country as well as be held accountable if they fall into non-compliance.
For example, the General Data Protection Regulation (GDPR) requires that any data collected by organizations residing in the EU must also be stored and processed within the EU. Any data movement outside of the EU must comply with transfer requirements and be to places that maintain a similar level of data protection as the GDPR.
Data localization refers to requirements that all data collected within a country’s borders must either always have a copy of the data or completely remain within these borders. For example, Russia’s On Personal Data Law (OPD-Law) requires that data collected from citizens must be stored in or retrieved only from data centers within the country. Other countries (including China, Australia, and Germany for example) have specific localization requirements for specific data types.
Meeting Data Residency Requirements
Meeting data residency requirements is crucial for maintaining compliance with data privacy laws and regulations. First, it’s important to define the type of data your organization collects. This will determine in what locations certain data needs to be stored and why. You’ll also have a clearer understanding of what data is subject to local data residency requirements, so you can stay compliant.
Meeting these standards helps your organization minimize data residency risks like:
- Violating a data privacy law or regulation
- Access by unauthorized foreign organization
- Increased costs, such as tax policies
- Limited disaster recovery capabilities
- Customer mistrust due to privacy issues
If you are using a third-party software to collect or store data, it’s imperative that the organization providing this product or service has the right security and compliance standards. Organizations should vet these third-party services to ensure the data residency terms meet requirements wherever data is stored, and data movements comply with regional statutes.
For example, FormAssembly upholds high security standards extends to our data centers, which are located around the globe and hosted by Amazon Web Services (AWS). Using AWS, we offer global regions to accommodate our customers’ data security needs, such as GDPR compliance. Additionally, FormAssembly is in compliance with HIPAA, CCPA, PCI DSS, SOC 2 Type 2, and ISO 27001 (and 27001 SoA), as well as FedRAMP-Ready at the Moderate level.
Learn More with FormAssembly and AWS
Interested in learning more about data residency and what it means for your organization? Join us on May 17th at 1 p.m. to hear from FormAssembly CTO Jeff Keating and AWS Chief Technologist for Education at Amazon Web Services Leo Zhadanovsky as they discuss the realities of data storage with cloud infrastructure, global compliance standards on data residency, and how your organization can control where your data resides.
