Examining the Differences Between Data Sovereignty and Data Residency

Two terms are making headlines, and they can leave businesses feeling a little confused. We’re talking about data sovereignty and data residency. At a glance, the two concepts can seem fairly similar.

However, understanding data sovereignty vs data residency is often crucial whether your business is wholly localized or you’re crossing international borders. Even data regulations can vary between close neighbors like the U.S. and Canada. Understanding the differences is usually key to staying in regulatory compliance.

Understanding Data Sovereignty

Data sovereignty is the concept that data is subject to the laws of the country or region where it is generated or processed. If a country has "sovereignty over" a piece of data, that means the country has legal authority over that data, including for use in national security.

Data sovereignty is often determined by residency. If data resides in a place, it is usually subject to that place’s laws.

Some data sovereignty laws apply to data regardless of where it moves. For example, the European Union’s (EU) General Data Protection Regulation (GDPR) can apply to data held or processed outside of the EU if that data pertains to EU residents. So it’s not just where the data resides that can be relevant, but also where it was collected or who it relates to.

In much the same way that data can have multiple residencies, it can also fall under multiple sovereignties. For example, data that resides in an EU country must abide by that country’s local laws and the EU-wide GDPR. Examples of some of the various data sovereignty requirements are:

• Some countries restrict the kinds of sensitive data that a company can collect and how it can collect that data.
• A few countries place limits on how organizations can use particular kinds of data.
• Other countries mandate certain cybersecurity controls and require organizations to follow specific processes in the event of a data breach.
• Some privacy regulations give data subjects a lot of rights over their data, including the ability to have it deleted.

Failing to comply with local data laws can lead to fines or other legal penalties. It can also cause reputational damage, sometimes irreparable harm. If an organization ignores data privacy regulations, it’s not uncommon for customers to take their business to a competitor.

Defining Data Residency

Data residency refers to the physical location of your business’s data. Data is said to reside in a particular nation, state, or place if the data centers, servers, or other machines that house or handle the data are physically located in that place. In simple terms, your data’s storage location is also its residency.

Because a business’s data can move around a lot, a single organization’s data can have multiple residencies. Yep, this can get confusing. For example, if a business is based in the US and collects personal data from US consumers and stores the information on servers in the US. Obviously, the data resides in the US.

In comparison, let’s say the same organization is using a SaaS (storage as a service) app to process this data, and the app’s servers are located in Canada. Any data transferred to the Canadian servers for processing might now reside in Canada, and it might fall under Canadian data laws.

To try and keep things kind of simple, data residency requirements often originate from an organization’s internal policy requirements or contractual commitments, independent of any regulatory requirement to localize data. This doesn’t necessarily mean you can ignore local laws, but internal and contractual policies may take precedence. Every scenario can be different, so check with local data regulations.

Don’t forget, organizations do not always have a choice over where their data resides. Some regions have laws with data localization requirements, which mandate that organizations keep or process their data in a particular place.

Don’t Confuse Data Residency with Localization

Even though the terms are often used interchangeably, their concepts are completely different. Data residency describes where data is held. Data localization refers to legal requirements to keep data where it was created. In other words, don’t move the data around, it stays put.

Some countries also have data localization requirements. This means organizations must keep any data created in that country within the country’s borders. These requirements can range from merely keeping a copy of the data in the country to bans on data transfers outside the country.

The Potential Impact of Data Sovereignty and Data Residency on Your Business

Data residency and data sovereignty requirements can shape an organization’s decisions about the kinds of data it collects, the way it uses data, and the IT infrastructure your organization builds.

Data Security Protocols

Some countries mandate that organizations take certain steps to secure data, such as applying specific access controls and threat detection technologies. While preventing unauthorized access to sensitive information is already a priority for most organizations, data residency and sovereignty can dictate the specific data security steps they must take.

Managing Data

Some data laws regulate what organizations can do with the information they have. For example, some laws forbid the use of sensitive data unless specific restrictive conditions are met. Other laws grant people considerable rights over their personal data. This often includes the right to have it deleted upon request.

Organizations that are subject to these laws must put protocols in place to ensure that data is used appropriately and that consumers can exercise their rights with ease.

Cloud Infrastructure

Most organizations use cloud services for data storage, processing, analytics, and other key workloads. As data moves through an organization's cloud-connected IT infrastructure, it can cross many borders. Wherever the data goes, it can be subject to new laws.

When working with cloud service providers, organizations need to be aware of where their data goes for storage, backups, and processing.