Data residency laws create a complex web of requirements for many businesses, particularly those that handle personal information and operate in multiple jurisdictions. Some organizations also focus on data residency based on industry requirements or strategic goals, such as minimizing latency and building user trust.
To stay compliant, you need to understand how these laws apply to the data you collect and store about your users, and whether your processors and sub-processors — such as identity verification and cloud service providers (CSPs) — comply with the applicable laws.
Types of data residency laws
The laws and regulations that affect how you can store and process data generally have several goals:
- Give residents more control over their personal data
- Allow governments to monitor residents
- Prevent identity theft and other cybercrimes
- Create or retain jobs in the country
These types of laws can vary by region, industry, and type of data, but you can broadly categorize these requirements into four groups:
Mandatory data localization
Mandatory data localization laws may require companies to store and process data within a specific country or region. Data localization requirements can ensure that the country’s other data privacy laws will apply to organizations that want to do business in the country.
These laws may have varying levels of restrictions depending on the industry and type of data:
- Complete localization: Also called hard or absolute localization, a complete localization law could require data created in the country to stay in the country. These laws generally don’t extend to all types of personal data. For example, Australia requires personal healthcare data that’s associated with the My Health Records system to be stored and processed within the country.
- Limited localization: Personal data can be shared or stored outside the country depending on the receiving country or company’s privacy and security systems. In Japan, personal data must be kept in Japan unless certain conditions are met, such as the data subject consenting to the transfer or the receiving country meeting Japanese adequacy requirements for securing the data.
- Local copies: A copy of personal data must be kept on servers in the country. If you make changes to the data, you may need to change the version that’s within the country first.
Some laws limit when and how businesses can transfer data. These limits on cross-border data flows may lead businesses to keep data within a region even if the law doesn’t mandate data localization.
For example, the European Union (EU)’s General Data Protection Regulation (GDPR) covers all types of personal data and limits transfers from the European Economic Area (EEA) to “third countries.”
Organizations operating within the EU might decide to store and process the data gathered in the EU to limit potential compliance violations, or, they can transfer data to third countries by aligning with GDPR requirements.
Transferring data to a third country that the European Commission has assessed as having adequate levels of protections, such as the United Kingdom (UK), could be an option. There are also exceptions to cross-border data transfer limitations, such as when the data subject gives their consent for the transfer.
As with data localization, the data transfer laws and regulations may be industry- or data-type specific, and more or less restrictive in other parts of the world. For example, the United States (U.S.) doesn’t have federal limitations on transferring residents’ personal data outside the country.
Data processing restrictions
Some privacy laws also restrict how organizations can process data — a catch-all term for the various ways an organization may examine or use data — and include strict requirements on how data transfers can be performed in a secure and confidential manner. These relate to data residency because organizations might want to transfer data to a different country for processing to save money or streamline operations. Or, they may want to work with sub-processors based in other countries.
In addition to potential data transfer restrictions, you need to be aware of residents’ rights to limit how their data can be processed and stored and make sure the data storage and processing systems in place can accommodate the users’ requests.
For example, GDPR allows individuals in the EU to restrict the processing of their personal data and gives them the “right to be forgotten.” In the U.S., the California Consumer Privacy Act (CCPA) gives Californians more control over their data, including the right to delete personal information, which businesses must comply with unless that data impairs their ability to provide core services, and to opt out of the sale or sharing of the data.
There may be exceptions that allow companies to process data for law enforcement agencies without an individual’s consent, as is the case in the EU, for example. However, these requests still must be reviewed within the limitations created by data residency laws — which can be further complicated when law enforcement agencies request data that’s stored in a different country.
Cloud residency requirements
Some organizations rely on cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform instead of — or in addition to — storing data on their own.
Many providers are aware of potential localization issues and maintain data centers in multiple geographies for their clients. CSPs may also be able to offer different solutions to help clients comply with various data residency laws.
Before working with a CSP, review its third-party certification and accreditation to ensure it can comply with the regional and country-specific requirements based on where you do business. Also review your service-level agreements (SLAs) with all processors to ensure they specify where data can be stored and processed.
How data residency laws impact organizations
Data residency laws can create new challenges for businesses that regularly collect or use personal data. However, some industries are more likely to be affected by data residency laws than others, including:
- Energy
- Healthcare
- Government
- Financial services
- Telecommunications
- Critical infrastructure
When applicable, the residency laws may even require businesses to establish new technological and operational processes for compliance. Many laws also require businesses to have a data protection officer (DPO) who is responsible for managing compliance and corresponding with authorities.
Noncompliance can lead to fines and might shutter a business’s operations in a country. For example, for parts of 2021 and 2022, the Reserve Bank of India restricted American Express, Diners Club, and Mastercard from issuing cards to new customers because of data residency law violations.
Businesses also may want to understand and control where their data is stored and processed for cultural, tax, and system design reasons. For example, keeping data local can improve latency, and businesses with secure data localization systems in place may be able to earn and keep the trust of employees and users.
Solutions for businesses dealing with multiple jurisdictions
Businesses that operate or want to expand into multiple jurisdictions may have to contend with multiple — sometimes competing — data residency laws.
One approach is to build and run data centers inside each country or region. However, it’s often easier and more efficient to contract with CSPs or “residency-as-a-service” providers to help manage data localization.
To help maintain compliance, businesses can opt for providers that offer a single-tenant architecture, giving them exclusive access to their own dedicated infrastructure. Single tenancy also allows companies to control where the data is stored, processed, and transmitted. Note that at this time, Persona does not support single tenancy.
Data residency laws can affect identity verification for KYC and KYB
Many businesses work with a processor to complete identity verification for Know Your Customer (KYC) and Know Your Business (KYB) when onboarding new customers — and for continuous monitoring as needed.
KYC and KYB inevitably involve personal data that could be subject to data residency laws. Businesses that want or need to verify their users’ identities need to comply with these laws and should confirm that the processors they work with comply as well.
How Persona can help
Organizations that partner with Persona for identity verification and fraud prevention can benefit from:
- Integrated security and privacy: Persona's security and privacy frameworks align with many global standards like GDPR and CCPA and are exemplified by our SOC 2 Type II accreditation and ISO 27001 certification.
- Data processing agreements: For customers based in the EU or who plan to expand to the EU, a data processing agreement (DPA) can regulate how data is collected, stored, and processed. Alongside Persona’s strict security controls, the DPA is often sufficient to meet organizations’ needs for cross-border data transfers between the U.S. and EU.
- EU data centers: Persona can offer EU data residency to customers that prefer or need to store users’ data in the EU to streamline GDPR compliance.
Start for free or contact us to learn how Persona’s approach to data residency and security can help you expand with confidence.