Data residency is the physical location or locations of an organization's data, and the organization's storage management in regard to managing specific data in particular locations. Data residency also refers to the legal or regulatory requirements imposed on data based on the country or region in which it resides. As of early 2021, around 130 or more countries have enacted individual data privacy laws and data residency regulations.
The terms data residency, data sovereignty, and data localization can and often are used interchangeably. However, they can also be used to differentiate between similar but different concepts. In this case, data residency can refer to the concept of where a company chooses to store its data. In this model, data sovereignty presents a more restrictive concept in which data is subject to a nation's laws where it is collected, processed and stored. And data localization, in this model, refers to data of a given business which has to be kept within the borders of a country, whether it is a copy of the data required to be maintained, or a prohibition of the data leaving a specific country's border.
In the case where data residency is used to refer to the location where a government body, industrial body, or business, the organization may specify a location based on:
- Tax benefits, in that specific governments offer a beneficial tax environment for a business ensuring a significant part of its operations stay within the country
- Company policy, in that a business may choose to include data residency in its policy for customer transparency into data storage
- Financial considerations, in that a business may choose to host data in a specific country due to cheaper operating costs as well as the possibility of a beneficial regulatory environment
Data laws by country
Information Privacy Act 2014
The Personal Information Protection and Electronic Documents Act (PIPEDA); provinces have other acts which regulate the use of data within the province in question.
Personal, business, and financial data
Golden Shield Program
Profile, employment, financial, health, and payment
The General Data Protection Regulation (GDPR)
The Personal Data Protection Bill
Data must be kept in local data centers
Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions
Data from servers run on country domain
Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection'
Nigeria Data Protection Regulation 2019
Geospatial or mapping data
the Personal Information Protection Act; the Act on the Promotion of Information and Communications Network Utilization and Information Protection; and the Act on the Use and Protection of Credit Information.
The Kingdom of Saudi Arabia
Profile, health, employee, and financial
KSA Cloud Computing Regulatory Framework
The Russian Federation
All personal data
Data Protection Act No. 152 FZ dated 27 July 2006; Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006
United Arab Emirates (UAE)
Financial, health, internet of things, profile, and government
The Cyber Crime Law; UAE's Central Bank Regulatory Framework for Stored Values and Electronic Payment Systems; Telecommunications Regulatory Authority - The Consumer Protection Regulations; The DHCC Health Data Protection Regulation; The Dubai Data Law
Personal information, financial, nonpublic personal information, healthcare, health insurance
US Privacy Act of 1974; Gramm-Leach-Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA); Children's Online Privacy Protection Act (COPPA); individual states have individual data privacy laws
Subscriber, health, employee, and financial
Law No. 24/2018/QH14 on Cybersecurity; Law No. 86/2015/QH13 on Cyberinformation Security; Decree No. 85/2016/ND-CP; Circular No. 20/2017/TT-BTTTT
In the case of countries that do not have the same data protection laws as those found in the GDPR, and in the case of some countries which have similar protections, there are free trade agreements which prohibit data localization requirements and restrictions on cross-border flow. This is usually restricted to data flow between those countries. The treaties with data partnerships include:
- Trans-Pacific Partnership
- Comprehensive and Progressive Agreement for Trans-Pacific Partnership
- United States-Mexico-Canada Agreement
Cloud computing, which allow businesses to deliver hosted services over the internet, has created data residency concerns. Along with increasing data privacy laws and data residency regulations, more companies are moving to distributed cloud environments, integrated to a central cloud, allowing companies to extend applications and helping companies remain complaint to regional laws.
Often, cloud computing users are unaware of the company's data's physical location, as cloud computing providers store data globally across different data center locations. This can cause compliance concerns when users are unaware of local data residency laws and regulations and where the cloud provider's data centers are located across the globe.
Cloud computing users have to comply with the rules in each jurisdiction where the company operates, but also the rules governing how data is managed at the cloud service provider's data center locations. Service providers and their clients can also ensure where the data can and cannot be stored in service-level agreements.
Data residency-as-a-service companies help businesses operated under local regulations and international regulations when operating in specific countries or regions. These service providers can also help companies store and process regulated data within the country of region. Service providers work to keep clients up-to-date on the changing compliance landscape for physical storage and data transmission outside local borders. And some service providers will also work to help companies expand into new territories and ensure compliance to new data laws.
Data residency service providers can also help companies store data in specified regions and comply with the data residency regulations in those regions, and in moving the data in and out of those regions if they are not the region the client is housed in. Distributed cloud networks for data can help companies meet the regulations of each country and specific customer requirements. A distributed cloud can help companies offer software-as-a-service solution based on regional needs as they can reduce the difficulty of locating data which can occur in centralized cloud implementations.
Dependent on the service provider and the region, data is handled in different ways, but often this includes storing data in secured data centers in the locale in question. Service providers and data centers also develop ways for companies and related applications to communicate and access that data.
The accessing of data can be difficult, as under the GDPR the accessing of personal data is considered a transfer of data under the data protection law. Meaning even if the data is stored in a GDPR country, such as Germany, and the company has engineers in India and those engineers access the data, the data is considered to have moved out of Germany. And this restricts the possibility to claim data residency is in Germany if there is access by support functions in other countries. The use of data can be difficult among countries as definitions of acceptable data use can be different between countries in which a company is operating.
Often, data residency-as-a-service providers will offer end-to-end data encryption services, or else help clients enable end-to-end data encryption in order to increase the security around data. Data residency does not in itself provide encryption or any extra security. Often the encryption around data will remove personal or identifying information from the data and can go further to insure data is unreadable to cloud service providers, government agencies, or other third parties gaining access to the data.
Encryption can be important for data residency, as in some cases, even if the data is stored in the region requiring data storage or based on a regions data privacy laws, that does not mean the data will not be trafficked during its use or generation. For example, Canadian internet traffic often moves through the United States, where it can be accessed, even if that internet data is eventually stored in servers in Canada. As well, copies of data can move from organizations into cloud servers and a lack of encryption or other security measures can leave the data vulnerable.
Data residency companies
Data across borders: The importance of data residency
Peter Day, Mixpanel
October 3, 2019
June 30, 2015
Data Residency: Meaning, Laws, & Requirements
July 30, 2020
Data Sovereignty vs Data Residency vs Data Localization
Direction for Electronic Data Residency - Canada.ca
Treasury Board of Canada Secretariat
November 1, 2017
How Companies are Managing New "Data Residency" Requirements | Park Place Technologies
January 18, 2018
What is data residency-as-a-service - InCountry
August 8, 2020
Documentaries, videos and podcasts
Cloud Storage & Data Residency - Legal Implications of Offshore Data Centres
July 23, 2016
October 17, 2018
How European Data Residency Works
January 23, 2020
Understand data residency, Multi-Geo and how Microsoft secures your data in Office 365
June 20, 2018