Data sovereignty vs. data residency: Key factors in privacy and security
When it comes to designing your company’s customer data policy, there’s a lot to consider. In addition to factors like data retention — how long your business will keep customer data, either due to regulatory or business requirements — you’ll also need to ensure that your policy adequately considers data residency and data sovereignty requirements.
Data residency and data sovereignty are two related concepts that are often discussed alongside each other. But there are key differences between the two.
Below, we take a closer look at what data sovereignty and data residency actually are, including a brief overview of some of the laws and regulations that establish them. We also review the key differences between the two concepts and discuss how they can impact your customer data policy.
What is data sovereignty?
Data sovereignty is a framework that aims to determine who has the right to regulate customer data created, collected, or stored by a company. This tells us what laws the data is subject to, and which a company must comply with.
Under this framework, a country may have sovereignty over data if that data was:
Created or collected in the country
Stored in the country
Data sovereignty laws
In order for a country to claim sovereignty over data, it must first have a law (or laws) in place that would apply to said data. In addition to other types of regulations, this often includes laws related to data privacy and security.
For example, in the United States, a few well-known examples at the federal level include:
Executive Order 14117 / 28 CFR 202 (Preventing Access to US Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons)
Privacy Act of 1974
Additionally, around 20 states have consumer data privacy laws, and there’s pending legislation in others. Some of these laws include the:
Illinois Biometric Information Privacy Act (BIPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CDPA)
Utah Consumer Privacy Act (UCPA)
Virginia Consumer Data Protection Act (VCDPA)
Outside the US, a few data privacy laws you might be familiar with include:
UK’s Data Protection Act 2018
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
Australia’s Privacy Principles (APP)
Complying with the regulations and requirements in every region where you collect, store, or process data is important.
These requirements can dictate the types of data you can collect, where you can store it, how long you can retain it, and the security systems you must have in place.
What is data residency?
Data residency refers to where you store or process data. Data residency laws may require that any consumer data you collect be stored in the country, a concept known as data localization.
The law may restrict the transfer of certain consumer data. For example, you might need to get the consumer’s consent first, or only transfer data to countries or regions with approved security measures.
Many of the laws that establish a country’s claim of data sovereignty also establish data residency requirements.
The EU’s GDPR, for example, requires companies that collect personal data about an EU subject to store the data within the EU unless the European Commission approves the receiving country’s safeguards and protections in place. Exceptions are allowed when a customer gives their explicit consent for their data to be transferred.
Meanwhile, in the United States, the Protecting Americans' Data from Foreign Adversaries Act (PADFA) forbids data brokers from making personally identifiable sensitive data of a US individual available to foreign adversaries, and entities that a foreign adversary controls.
Data sovereignty and data residency: differences and links
Data sovereignty focuses on which country has the right to regulate data, while data residency refers to where you store the data.
The two concepts are linked because many countries claim sovereignty over data collected from their residents or within their borders. As a result, compliance can quickly get complicated when you want to collect and store data in different countries.
Getting your company’s customer data policy right requires you to consider your data residency practices and the applicable laws. Additionally, you have to think through who you’re targeting or selling to, because some countries may claim data sovereignty if you offer goods or services to their residents.
Choosing the right partner helps
If you work with external partners to collect, process, or store customer data — for example, as a part of your identity verification (IDV), Know Your Customer (KYC), or Know Your Business (KYB) processes — it’s important to think about how those partners fit into the broader patchwork of data residency, privacy, and security laws.
At Persona, we understand that data sovereignty, residency, and retention issues can quickly become incredibly complex, especially for businesses operating in multiple jurisdictions. That’s why we offer our customers a number of solutions to help get their data policies right the first time, including:
Data centers in the United States and EU: Where available, customers can choose US or EU storage to ensure compliance with data residency requirements.
Data processing agreements: In order to facilitate cross-border data transfers, customers can request a data processing agreement (DPA) to officially guide how customer data is collected, stored, and processed with Persona.
A transparent privacy policy: Our privacy and security frameworks are based on and align with global standards to meet or exceed requirements.
Ready to learn more about how Persona can help you get your customer data policy right? Start for free, or contact us for a demo today.