Data residency is the physical location or locations of an organization's data, and the organization's storage management in regard to managing specific data in particular locations. Data residency also refers to the legal or regulatory requirements imposed on data based on the country or region in which it resides. As of early 2021, around 130 or more countries have enacted individual data privacy laws and data residency regulations.
The terms data residency, data sovereignty, and data localization can and often are used interchangeably. However, they can also be used to differentiate between similar but different concepts. In this case, data residency can refer to the concept of where a company chooses to store its data. In this model, data sovereignty presents a more restrictive concept in which data is subject to a nation's laws where it is collected, processed and stored. And data localization, in this model, refers to data of a given business which has to be kept within the borders of a country, whether it is a copy of the data required to be maintained, or a prohibition of the data leaving a specific country's border.
In the case where data residency is used to refer to the location where a government body, industrial body, or business, the organization may specify a location based on:
- Tax benefits, in that specific governments offer a beneficial tax environment for a business ensuring a significant part of its operations stay within the country
- Company policy, in that a business may choose to include data residency in its policy for customer transparency into data storage
- Financial considerations, in that a business may choose to host data in a specific country due to cheaper operating costs as well as the possibility of a beneficial regulatory environment
Data laws by country
In the case of countries that do not have the same data protection laws as those found in the GDPR, and in the case of some countries which have similar protections, there are free trade agreements which prohibit data localization requirements and restrictions on cross-border flow. This is usually restricted to data flow between those countries. The treaties with data partnerships include:
- Trans-Pacific Partnership
- Comprehensive and Progressive Agreement for Trans-Pacific Partnership
- United States-Mexico-Canada Agreement
Cloud computing, which allow businesses to deliver hosted services over the internet, has created data residency concerns. Along with increasing data privacy laws and data residency regulations, more companies are moving to distributed cloud environments, integrated to a central cloud, allowing companies to extend applications and helping companies remain complaint to regional laws.
Often, cloud computing users are unaware of the company's data's physical location, as cloud computing providers store data globally across different data center locations. This can cause compliance concerns when users are unaware of local data residency laws and regulations and where the cloud provider's data centers are located across the globe.
Cloud computing users have to comply with the rules in each jurisdiction where the company operates, but also the rules governing how data is managed at the cloud service provider's data center locations. Service providers and their clients can also ensure where the data can and cannot be stored in service-level agreements.
Data residency-as-a-service companies help businesses operated under local regulations and international regulations when operating in specific countries or regions. These service providers can also help companies store and process regulated data within the country of region. Service providers work to keep clients up-to-date on the changing compliance landscape for physical storage and data transmission outside local borders. And some service providers will also work to help companies expand into new territories and ensure compliance to new data laws.
Data residency service providers can also help companies store data in specified regions and comply with the data residency regulations in those regions, and in moving the data in and out of those regions if they are not the region the client is housed in. Distributed cloud networks for data can help companies meet the regulations of each country and specific customer requirements. A distributed cloud can help companies offer software-as-a-service solution based on regional needs as they can reduce the difficulty of locating data which can occur in centralized cloud implementations.
Dependent on the service provider and the region, data is handled in different ways, but often this includes storing data in secured data centers in the locale in question. Service providers and data centers also develop ways for companies and related applications to communicate and access that data.
The accessing of data can be difficult, as under the GDPR the accessing of personal data is considered a transfer of data under the data protection law. Meaning even if the data is stored in a GDPR country, such as Germany, and the company has engineers in India and those engineers access the data, the data is considered to have moved out of Germany. And this restricts the possibility to claim data residency is in Germany if there is access by support functions in other countries. The use of data can be difficult among countries as definitions of acceptable data use can be different between countries in which a company is operating.
Often, data residency-as-a-service providers will offer end-to-end data encryption services, or else help clients enable end-to-end data encryption in order to increase the security around data. Data residency does not in itself provide encryption or any extra security. Often the encryption around data will remove personal or identifying information from the data and can go further to insure data is unreadable to cloud service providers, government agencies, or other third parties gaining access to the data.
Encryption can be important for data residency, as in some cases, even if the data is stored in the region requiring data storage or based on a regions data privacy laws, that does not mean the data will not be trafficked during its use or generation. For example, Canadian internet traffic often moves through the United States, where it can be accessed, even if that internet data is eventually stored in servers in Canada. As well, copies of data can move from organizations into cloud servers and a lack of encryption or other security measures can leave the data vulnerable.
