Data Residency – Laws and Requirements
Data residency defines in which country the organization’s data is stored (physically or geographically).
Most often businesses have to operate under local regulations, which require that data about nations’ citizens or residents must be collected, processed, and/or stored inside the country. It mainly happens due to regulatory, tax, or policy reasons.
Data can still be transferred – after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used and obtaining their consent.
Data sovereignty, data residency, and data localization could be mixed up and could cost your business when it comes to regulation breaches. You need to differentiate these three terms. It’s also important to understand how they affect your data.
Data residency refers to where the data is stored by a business, industry body. The government enforces regulations that they are to be stored in a geographical location of their choice, usually for regulatory or policy reasons.
Data sovereignty is not just about the data stored in a specific location but is also about the laws of the country in which it is physically stored. Data subjects will have different privacy and security rules enforced according to where the data centers housing their data are located.
Data localization states that data created within certain borders stay within them. In contrast to Residency and Sovereignty, it is always applied to the creation and storage of personal data, with exceptions including some countries’ regulations over tax, accounting, etc.
Where are each category of data (personal data, financial records, etc) created or processed and what obligations might this bring? Where is it stored, and who owns the data center?
What are your procedures for backup? Where is your data backed up to?
How have they documented and provided proof that their data centers meet all your local and global privacy needs?
Data Residency Laws around the World
Data localization can be exclusively required by law or other restrictive policies that make it difficult to transfer data. It requires companies to store a copy of the data locally, process data locally and mandate individual or government consent for data transfers.
Let’s have a closer look at some data residency requirements examples by country.
On 1 July 2020, the consumer data right went live for limited data sharing in relation to the four major banks. The remaining banking data subject to CDR must be available for sharing by those big four banks from 1 November 2020. By the regulations of the Personally Controlled Health Records Act, all personal medical information in Australia has to be stored in local servers.
Canada requires public bodies like schools, public agencies, hospitals, etc to store their personal data within the nation’s borders where the data can only be accessed from within the country.
China has one of the strict data residency and localization laws. In addition to restricting access to certain websites (the Great Firewall of China), organizations also have to comply with a wide range of data residency practices. For instance, banking services in China have to place their data servers in the Asian nation. Also, Chinese personal financial information can only be analyzed, stored, and processed locally. The data of internet-based mapping services, medical and health records, have to be kept in China. Companies must also comply with a cybersecurity law that prohibits personal information and important business data from leaving the country.
Data produced by local and national public administrations have to be stored within the country’s borders. It is also illegal to move information that is connected to legal proceedings outside of the nation.
Germany has similar views on data residency as France, acting on the idea of personal information stored locally within its borders. While data residency laws can vary by state, all organizations within Germany have to store accounting data in the EU. Organizations and individuals liable for taxes have to keep their accounting records within the country’s borders
Russia has enforced strict data residency and localization laws. As per the 2015 Personal Data Law, personal information collected from Russian citizens is required to do all their data-related operations using databases that are physically located in Russia. It requires Telecom companies to store all data in the country for six months. The Russian government could impose a fine or shut down the services that fail to comply with data residency laws.
The government first enforced its Personal Data Protection Bill in Parliament on Dec. 11, 2019, after more than two years of debate on the bill. According to the new Indian bill, to collect personal data, establishments classified as data fiduciaries must obtain consent from the individuals whose data is in question. Data collectors are also subject to many new reporting requirements. The bill imposes additional requirements, obtaining parent or guardian consent for the collection of data belonging to children. The biggest concern about the bill among activists is the exemptions granted to the government for data collection. Data protection bill states that exceptions can be made to data collection whenever the government feels that it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.”
Data Residency with FileCloud
FileCloud offers data residency options, giving options to customers to select the region of their choice for storing and processing data. FileCloud offers 100% flexibility on where to store and process data. It can be deployed as a private hosting setup or hybrid cloud on an infrastructure that customers control. You can pick the infrastructure and location where FileCloud runs, which helps to comply with many growing strict regional privacy requirements like the European Union.
FileCloud will help you comply with the regulations required in your specific industry or vertical. The growing requirements for securing corporate privacy and keeping multi-level threats at bay require a strongly compliant File Sharing and Sync solution.
FileCloud has On-Prem, self-hosted solution, so you pick the infrastructure and location where FileCloud runs, which helps to comply with many growing strict regional privacy requirements like the European Union. FileCloud Online allows customers to choose the region of their choice for file storage.
FileCloud comes equipped with state of the art infrastructure and features :
- Secure servers: The data is stored in remote secure servers which are maintained by dedicated teams for the security of data.
- Automatic Backups: The data is regularly backed up automatically at regular intervals thereby ensuring the latest data files are available to the users.
- Recover Deleted files: The deleted files and folder can be easily recovered by the user thus ensuring no data gets lost.
- Secure File sharing: Files can be easily shared with FileCloud’s cloud storage services. The user can share files publicly or privately depending on the requirement.
- Affordable: FileCloud provides its user with the best online cloud storage services which are secure as well as affordable for businesses.