May 1, 2023
Data Residency: Why 2023 Is the Year to Take It Seriously
Managing and transferring customer data is increasing in complexity as more countries across the world define and enforce data residency requirements. This makes 2023 the year to implement a comprehensive and scalable data residency strategy.
Data residency requirements define which types of sensitive data need to be stored or processed within a specific geographic location in order to meet local data privacy laws.
As more countries adopt different data residency requirements, it’s becoming increasingly complex for businesses to remain compliant. TikTok has decided to geo-replicate its data infrastructure to meet the data residency requirements of specific regions, like the European Union (EU), but does this make sense? Wholesale migration (or geo-replication) of your data infrastructure is an expensive strategy for any company, and it doesn’t scale.
Global businesses must take data residency seriously in 2023 because changing data residency requirements can lead to hefty fines, long, drawn-out court cases, and severe business restrictions. But the good news is that there are cost-effective approaches to data residency compliance that make it easier to expand into new markets without the need to rebuild your infrastructure in each market.
In this post, we’ll discuss the history of EU - US cross-border data transfers and the drawbacks of full backend geo-replication as a compliance strategy. We’ll also look at the increasing complexity of data residency compliance for global companies. And lastly, we’ll explore how Skyflow lets you simplify compliance without geo-replicating your infrastructure in each region.
Data Residency Restricts the Movement of Sensitive Data Across Borders
Data residency restricts sensitive data to the region where it originates. Data residency requirements are common provisions in data privacy and protection laws that seek to govern the use of sensitive data – especially PII, PHI, or related categories of personal information.
So, for example, the EU’s GDPR has data residency requirements that only allow businesses to transfer personal data to a country that has adequate levels of legal data protection. If this condition isn’t met, businesses need to implement additional corporate rules, recipient contracts, and safeguards before transferring the personal information of EU residents outside the region.
And while the EU is the largest market with data residency requirements, as you’ll see below, it’s hardly the only one. Australia has data residency requirements that restrict healthcare data. Several other nations, including Brazil, India, and Indonesia, either have data residency requirements or are developing them.
Some businesses view data residency requirements as cumbersome. But evolving concerns over data privacy and a history of invalidated cross-border data transfer rules suggest that businesses need to stop hoping for data residency requirements to go away, and need to start looking for cost-effective and scalable compliance solutions.
EU - US Data Transfers: A Cautionary Tale of Changing Standards
The ongoing shifts in rules surrounding EU - US data transfers provide good reasons for businesses to seek solutions that avoid the need for such transfers. Over the last 25 years, the U.S. and EU have implemented several changes in sensitive data transfer rules.
First, data privacy concerns about the International Safe Harbor Privacy Principles from 2000 led to the creation of a more rigorously defined set of rules known as the EU - U.S. Privacy Shield in 2016.
But, these rules didn’t survive privacy challenges posed in the EU courts, so now businesses are eyeing a new EU - U.S. Data Privacy Framework and looking at how to comply, while also wondering how long this latest set of rules will remain in effect.
So, despite years of negotiation and collaboration, an adverse EU court ruling could bring into question the validity of the newly-announced EU - U.S. Data Privacy Framework. If this occurs, any company reliant on this framework would need to quickly implement costly data infrastructure restructuring projects to retain access to EU markets.
The complexity and uncertainty of cross-border data transfers between the EU and US poses formidable challenges to any company without scalable solutions for data residency compliance. The recent EU ruling against Meta, which came with a fine of €1.2 billion, highlights why it's important to use architectural solutions to store the personal data of EU residents within the EU and avoid cross-border data transfers.
And the existence of data residency requirements in other markets poses similar risks and challenges.
Violating Data Residency Requirements Leads to Hefty Fines
Violating data privacy laws and data residency requirements may result in fines and bad press that can jeopardize your business. For example, depending on the severity of the violation, GDPR fines can amount to up to 4% of a firm’s global revenues in the preceding fiscal year.
Large multinational businesses like Meta aren't the only ones who have already been subject to GDPR fines. Local businesses can also be fined for GDPR violations — for example, a German chat website was fined 20,000 euros following a data breach in 2018.
The bad press businesses receive from such incidents is just as harmful as the financial losses. Some businesses may never be able to regain user trust after a data breach incident or compliance violation. Violating local data residency requirements can also close the door to future business in that country or region.
But meeting data residency requirements with a centralized data infrastructure that’s layered with multiple regional restrictions or by geo-replicating multiple data infrastructures both present their own set of problems. That is why global businesses like Apaya solved data residency requirements using a data privacy vault.
Data Residency Compliance Is Becoming Increasingly Complex
Over the last decade, the following countries and regions have defined new data residency requirements as part of their data privacy and protection laws:
- Australia implemented the Australian Privacy Principles (APP) in 2014
- Brazil passed LGPD in 2018
- Bahrain enacted its Personal Data Protection Law in 2019
- Canada introduced Bill C-11 in 2020, further strengthening PIPEDA laws
- European Union has has been enforcing GDPR since 2018
- Indonesia has data localization requirements defined by GR 82 since 2012
- Japan’s Act on the Protection of Personal Information (APPI) was overhauled in 2015
- Korea implemented the Personal Information Protection Act in 2014
- South Africa’s Protection of Personal Information (POPI) Act has been in place since 2020
- United Arab Emirates implemented Law No. 45 in 2021 to strengthen the existing Personal Data Protection law
- Vietnam passed the Decree on Protection of Personal Data that goes into effect July 1, 2023
At the same time, countries like India are on the verge of implementing new data protection laws.
The more countries your business operates in, the more data residency requirements you need to honor. An ever-expanding list of requirements can make data residency compliance a constant concern if you don’t have scalable, architectural solutions to data residency requirements.
Every additional requirement also further increases the cost and complexity of data residency compliance. For instance, doing business in a country like Canada, which has 10 provinces and three territories, each with its own local interpretation of data residency requirements, can introduce new challenges.
Following the passage of privacy modernization Law 25 (previously Bill 64), the province of Québec recently passed the Private Sector Act that requires businesses to perform a privacy impact assessment before they transfer the personal information of residents outside of Québec.
But other Canadian provinces don’t have such an explicit requirement. So a business that is unaware of this law could face stiff legal action if they make the mistake of transferring sensitive user data outside of Québec without a privacy assessment.
Compliance complexity also increases when there is a conflict between data residency requirements and other laws. For example, anti-money laundering protocols in the U.S. can require a business to share sensitive user data from another region. But the data privacy laws of that region might prevent the sharing of this information. Coordinating between the two authorities from the different countries will increase the costs, effort, and time required to arrive at a satisfying conclusion for all parties involved.
Both of the above examples highlight the need for global businesses to create secure and data privacy-compliant workflows that don’t require transferring sensitive data outside its region of origin. Tokenizing sensitive data records and creating secure workflows are quickly emerging as the best alternative solutions.
So, what is the right solution for your business?
Should You Geo-Replicate Your Infrastructure?
Instead of relying on government agreements that are subject to constant change, some businesses choose to geo-replicate their backend operations to comply with the data residency requirements of different regions. But geo-replication is very costly to implement and maintain. With geo-replication, you multiply your infrastructure costs and increase your maintenance burden as you maintain a fragmented infrastructure.
As we show below, using a data privacy vault to isolate sensitive data within a region is a more scalable and sustainable alternative to geo-replication.
Solve Data Residency Requirements Without Geo-Replication
The conventional approach to implementing data residency compliance involves duplicating or recreating your existing data infrastructure in each region where you operate. But creating geo-duplicated backends in multiple regions fragments your data sources and other infrastructure. And this, in turn, leads to data governance, data quality, maintenance, and operational problems down the line.
Using a traditional, geo-replication approach, a business that operates in the EU and Brazil will need to create a separate instance of its data infrastructure in each location. But the separation of these two databases means that your analytics team won’t have a single source of truth to answer business questions such as “what is our total number of active customers?”, or more complicated questions like “what is our average customer lifetime purchase value?”.
And this means that more engineers will be needed to monitor and maintain these duplicate instances. And other costs, like licensing, increase as you add more regions with a geo-replication approach.
The better approach is to comply with data residency requirements by using Skyflow Data Privacy Vault to keep sensitive data close to your customers in each region.
Scalable Data Residency with Skyflow
Skyflow Vault makes it easy for you to isolate sensitive customer data and host it in its region of origin. With Skyflow, you can create multiple vaults, each containing sensitive customer data from a specific region. The vault creates tokens that point to sensitive data records without actually sharing them, so you can enjoy the benefits of centralizing your backend, data lake, and analytics and use third-party apps without violating data residency requirements.
With this modern approach, the same business described above can enjoy the benefits of a centralized data infrastructure. Instead of needing separate EU and Brazil instances, they can store sensitive user data (and only sensitive data) from each location in a local vault. And, this approach makes it easier to expand into new regions and markets so you can grow revenue and reach new customers.
Along with cost savings and easing entry into new markets, this approach enables global analytics. An analytics team can query both the EU and Brazil vaults for a “list of active customers”, and they only receive tokens that point to sensitive data, but this gives them the information needed to answer important business questions like “what is our average customer lifetime purchase value?”.
Because these tokens themselves don’t contain sensitive information, they can freely be moved across borders and stored throughout your systems without violating data residency requirements.
Beyond easing data residency and supporting global analytics, using a data privacy vault provides a several additional benefits:
- Data Isolation: When you isolate sensitive data in a data privacy vault, you avoid one of the major issues with data security: sensitive data sprawl. Data sprawl occurs when sensitive data like names or social security numbers are replicated from one system to another, increasing the amount of infrastructure that’s impacted by regulatory compliance, complicating data residency, and increasing the attack surface area for malicious hackers to exploit.
- Data Protection: A data privacy vault uses a combination of encryption and tokenization techniques to protect sensitive data stored in the vault. Encryption protects the sensitive data that’s isolated in the vault, and includes polymorphic encryption to support data use without decrypting sensitive data. Meanwhile, tokenization makes it easy to reference sensitive data from other systems without exposing this data.
- Data Governance: With sensitive data isolated in a data privacy vault, access is governed using a combination of zero trust architecture and fine-grained access controls that you configure. These access controls provide only the minimum amount of data that’s required for business-critical workflows. Data governance also includes audit logging capabilities that let you track sensitive data access and prove compliance.
As you can see, using a data privacy vault to meet data residency requirements makes sense, regardless of whether you’re looking to rapidly enter new markets, minimize maintenance overhead, or protect your business from legal challenges to privacy regulations or frameworks like the new EU - US Data Privacy Framework or GDPR.
Learn More About Skyflow Data Privacy Vault
To learn more about how Skyflow can help your business enter new markets or ease compliance with data residency laws across multiple countries, check out our recorded event: How a Data Privacy Vault Simplifies Data Residency.
You can also sign up for a personalized Skyflow demo.