Data residency laws and KYC

Data residency laws can make KYC and KYB more complex. Learn what they are and how you can manage storing and processing data in different jurisdictions.

icon of a person in a shield with a check mark
Read time:
Share this post
Table of contents
⚡ Key takeaways
  • Data residency laws may require you to store and process the data you use that originates within a specific country or region. 
  • Your vendors, including identity verification, KYC, and cloud-service providers, also need to comply with data residency laws because these companies process your users’ data. 
  • Partner with providers that align with your data residency compliance strategy so you can continue to focus on your core business when expanding to new regions.

Data residency laws create a complex web of requirements for many businesses, particularly those that handle personal information and operate in multiple jurisdictions. Some organizations also focus on data residency based on industry requirements or strategic goals, such as minimizing latency and building user trust.

To stay compliant, you need to understand how these laws apply to the data you collect and store about your users, and whether your processors and sub-processors — such as identity verification and cloud service providers (CSPs) — comply with the applicable laws. 

Types of data residency laws

The laws and regulations that affect how you can store and process data generally have several goals:

  • Give residents more control over their personal data
  • Allow governments to monitor residents 
  • Prevent identity theft and other cybercrimes 
  • Create or retain jobs in the country  

These types of laws can vary by region, industry, and type of data, but you can broadly categorize these requirements into four groups: 

Mandatory data localization

Mandatory data localization laws may require companies to store and process data within a specific country or region. Data localization requirements can ensure that the country’s other data privacy laws will apply to organizations that want to do business in the country. 

These laws may have varying levels of restrictions depending on the industry and type of data:

  • Complete localization: Also called hard or absolute localization, a complete localization law could require data created in the country to stay in the country. These laws generally don’t extend to all types of personal data. For example, Australia requires personal healthcare data that’s associated with the My Health Records system to be stored and processed within the country.
  • Limited localization: Personal data can be shared or stored outside the country  depending on the receiving country or company’s privacy and security systems. In Japan, personal data must be kept in Japan unless certain conditions are met, such as the data subject consenting to the transfer or the receiving country meeting Japanese adequacy requirements for securing the data. 
  • Local copies: A copy of personal data must be kept on servers in the country. If you make changes to the data, you may need to change the version that’s within the country first. 

Some laws limit when and how businesses can transfer data. These limits on cross-border data flows may lead businesses to keep data within a region even if the law doesn’t mandate data localization. 

For example, the European Union (EU)’s General Data Protection Regulation (GDPR) covers all types of personal data and limits transfers from the European Economic Area (EEA) to “third countries.” 

Organizations operating within the EU might decide to store and process the data gathered in the EU to limit potential compliance violations, or, they can transfer data to third countries by aligning with GDPR requirements. 

Transferring data to a third country that the European Commission has assessed as having adequate levels of protections, such as the United Kingdom (UK), could be an option. There are also exceptions to cross-border data transfer limitations, such as when the data subject gives their consent for the transfer. 

As with data localization, the data transfer laws and regulations may be industry- or data-type specific, and more or less restrictive in other parts of the world. For example, the United States (U.S.) doesn’t have federal limitations on transferring residents’ personal data outside the country. 

Data processing restrictions

Some privacy laws also restrict how organizations can process data — a catch-all term for the various ways an organization may examine or use data — and include strict requirements on how data transfers can be performed in a secure and confidential manner. These relate to data residency because organizations might want to transfer data to a different country for processing to save money or streamline operations. Or, they may want to work with sub-processors based in other countries.  

In addition to potential data transfer restrictions, you need to be aware of residents’ rights to limit how their data can be processed and stored and make sure the data storage and processing systems in place can accommodate the users’ requests. 

For example, GDPR allows individuals in the EU to restrict the processing of their personal data and gives them the “right to be forgotten.” In the U.S., the California Consumer Privacy Act (CCPA) gives Californians more control over their data, including the right to delete personal information, which businesses must comply with unless that data impairs their ability to provide core services, and to opt out of the sale or sharing of the data.

There may be exceptions that allow companies to process data for law enforcement agencies without an individual’s consent, as is the case in the EU, for example. However, these requests still must be reviewed within the limitations created by data residency laws — which can be further complicated when law enforcement agencies request data that’s stored in a different country. 

Cloud residency requirements

Some organizations rely on cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform instead of — or in addition to — storing data on their own. 

Many providers are aware of potential localization issues and maintain data centers in multiple geographies for their clients. CSPs may also be able to offer different solutions to help clients comply with various data residency laws. 

Before working with a CSP, review its third-party certification and accreditation to ensure it can comply with the regional and country-specific requirements based on where you do business. Also review your service-level agreements (SLAs) with all processors to ensure they specify where data can be stored and processed.  

How data residency laws impact organizations

Data residency laws can create new challenges for businesses that regularly collect or use personal data. However, some industries are more likely to be affected by data residency laws than others, including:

  • Energy
  • Healthcare
  • Government
  • Financial services
  • Telecommunications
  • Critical infrastructure

When applicable, the residency laws may even require businesses to establish new technological and operational processes for compliance. Many laws also require businesses to have a data protection officer (DPO) who is responsible for managing compliance and corresponding with authorities. 

Noncompliance can lead to fines and might shutter a business’s operations in a country. For example, for parts of 2021 and 2022, the Reserve Bank of India restricted American Express, Diners Club, and Mastercard from issuing cards to new customers because of data residency law violations. 

Businesses also may want to understand and control where their data is stored and processed for cultural, tax, and system design reasons. For example, keeping data local can improve latency, and businesses with secure data localization systems in place may be able to earn and keep the trust of employees and users. 

Solutions for businesses dealing with multiple jurisdictions

Businesses that operate or want to expand into multiple jurisdictions may have to contend with multiple — sometimes competing — data residency laws

One approach is to build and run data centers inside each country or region. However, it’s often easier and more efficient to contract with CSPs or “residency-as-a-service” providers to help manage data localization. 

To help maintain compliance, businesses can opt for providers that offer a single-tenant architecture, giving them exclusive access to their own dedicated infrastructure. Single tenancy also allows companies to control where the data is stored, processed, and transmitted. Note that at this time, Persona does not support single tenancy.

Data residency laws can affect identity verification for KYC and KYB 

Many businesses work with a processor to complete identity verification for Know Your Customer (KYC) and Know Your Business (KYB) when onboarding new customers — and for continuous monitoring as needed. 

KYC and KYB inevitably involve personal data that could be subject to data residency laws. Businesses that want or need to verify their users’ identities need to comply with these laws and should confirm that the processors they work with comply as well. 

Free white paper
See how experts evaluate KYC/KYB solutions

How Persona can help

Organizations that partner with Persona for identity verification and fraud prevention can benefit from: 

  • Integrated security and privacy: Persona's security and privacy frameworks align with many global standards like GDPR and CCPA and are exemplified by our SOC 2 Type II accreditation and ISO 27001 certification. 
  • Data processing agreements: For customers based in the EU or who plan to expand to the EU, a data processing agreement (DPA) can regulate how data is collected, stored, and processed. Alongside Persona’s strict security controls, the DPA is often sufficient to meet organizations’ needs for cross-border data transfers between the U.S. and EU.
  • EU data centers: Persona can offer EU data residency to customers that prefer or need to store users’ data in the EU to streamline GDPR compliance.

Start for free or contact us to learn how Persona’s approach to data residency and security can help you expand with confidence. 

Frequently asked questions

Which types of data are typically subject to data residency laws?

Some data residency laws only apply to specific types of data. Often, this includes sensitive personal data such as someone’s health records, biometrics, financial data, political affiliation, criminal record, sexual orientation, race, and ethnicity. 

Other laws apply to a broad definition of personal data. For example, GDPR defines personal data as any information related to an identified or identifiable natural person, which might include a person’s name, address, identification number, IP address, location data, or username(s).

What are the main reasons for data residency laws?

Data residency laws generally give residents more control over their personal data. In more authoritarian countries, they give governments more control over their residents’ data. The laws may also help address growing cybersecurity and identity theft concerns, and although it may not be the primary reason for the law, some data localization regulations may support local economies by creating or retaining jobs.

How can technology help address data residency challenges?

Solutions providers and cloud service providers (CSPs) can take different approaches to helping businesses comply with data residency laws. Some may take on the heavy lift of managing personal data segregation, storage, and processing. Others can help you comply with data residency laws by setting up data centers in the regions where you operate.

Continue reading

Continue reading

Identity challenges in the travel industry: How hospitality businesses can fight fraud
Identity challenges in the travel industry: How hospitality businesses can fight fraud

Identity challenges in the travel industry: How hospitality businesses can fight fraud

Identity fraud in the travel industry has become increasingly common. Here are some common identity challenges and potential solutions businesses need to know about.

How digital health apps can overcome four barriers to converting users
How digital health apps can overcome four barriers to converting users

How digital health apps can overcome four barriers to converting users

New patients might abandon onboarding if they’re confused, frustrated, or overwhelmed. Here are four ways digital health apps can improve conversion.

How to create scalable and compliant international KYB processes
How to create scalable and compliant international KYB processes

How to create scalable and compliant international KYB processes

Industry experts discuss international KYB and debunk common myths while sharing how to build a scalable global KYB process.

Data residency laws: An international guide

Data residency laws: An international guide

Get an overview of data residency laws in the U.S. and around the world.

New age of data privacy regulation: How businesses can prepare

New age of data privacy regulation: How businesses can prepare

It’s only a matter of time before new data privacy regulation is passed, so it’s pertinent that businesses prepare before it’s too late.

Data subject access requests for the GDPR

Data subject access requests for the GDPR

Learn about data subject access requests (DSARs) for the GDPR and individuals’ rights to access their personal data.

Ready to get started?

Get in touch or start exploring Persona today.