Is Your Company Managing Data Across Borders? Here's What You Need To Know


The past 12 months have seen the topic of data privacy hit the headlines and dominate boardroom discussions more than ever before, with GDPR in particular playing a prominent role in how companies handle and manage their customer data. While new legislation is set in stone and available to view in the public domain, it’s clear that the interpretation of this information varies across the board, with companies employing different strategies to ensure they adhere to new regulations. Is your company managing data across borders? Here's what you need to know:

Join our Business Achievers community and get access to downloads to help your business, free online training courses and network with members to help grow your business.

One of the key issues is that the terminology surrounding data as a whole can be easily misunderstood and ultimately, misconstrued, putting businesses at greater risk of falling foul to the new rules. This article will uncover the subtle differences behind ‘data sovereignty’, ‘data residency’ and ‘data localisation’; common terms for companies that manage data across different borders that have very different meanings but have, incorrectly, begun to be used interchangeably.

Data Sovereignty v Data Residency v Data Localisation

Despite having very different definitions, the search activity surrounding each of these is remarkably similar, suggesting that Google users don’t fully appreciate the differences between each term.

Data from Google Trends 

The question is, why do each of these terms exist and what are the differences? Business users and particularly those responsible for a company’s data, must be aware of what these mean and the importance of keeping on top of each one?

How do the terms interrelate?

The three terms all relate to the same core concept: how cross-border data flows impact data privacy. This topic has become increasingly important in recent years due to the rise in data privacy legislation, including but certainly not limited to GDPR, and the requirements that they collectively place on how, where and when data can move from one country to another.

What is data residency?

This is all about location - where a business or industry needs or prefer to store their data. The reasons for the need or preference can be varied. It may be caused by legislative requirements to keep it in certain places, or policy preferences to actively avoid specific legislations. It can often be down to simple comfort, or performance reasons and avoiding latency.  

A common reason for a business’ data residency policy is also a wish to take advantage of a better tax regime. In such instances, a business will often need to prove they are not conducting too great a proportion of core business activities outside that country’s borders – and many jurisdictions consider the processing of data in facilities abroad to be a core business activity, even if the analysts or employees are based within the country’s borders.  

What is data sovereignty?

Data sovereignty goes one step further than data residency. It is the principle that data is subject to the laws of the country in which it is physically stored. This difference is critical as data subjects’ (any person whose personal data is being collected, held or processed) rights vary not just according to their nationality, residence or who their data is processed by, but also according to the country in which their data is physically stored. 

There is also the question of a government’s rights. The ability for a government to access data found within its borders, or to bring legal cases against businesses based on the data within its borders, varies from country to country and government to government. 

It is in these situations that data residency and sovereignty are most often confused. When ensuring data sits within a geographical location for whatever reason - whether making the most of local laws, regulations and tax regimes, or even just through preference or ease - is a matter of data residency. But the principle that the data is subject to the legal protections and punishments of that country is a matter of data sovereignty. 

One is a matter of national legal rights and obligations, while the other is a matter of geography. Being able to recognise the difference will help professionals better prepare for compliant data management and exchange.

What is data localisation?

Like data sovereignty, data localisation is a version of data residency that is predicated on legal obligations. It is also the concept that is growing the fastest internationally and is the most stringent and restrictive concept of the three. It requires data to stay within the borders of the country in which it was created.

In contrast to the two terms mentioned above, it is almost always applied to the creation and storage of personal data, with exceptions including some countries’ regulations over tax, accounting and gambling.

In many cases, data localization laws simply require a copy of the data to be held within a country’s borders, usually to guarantee that government can audit data on its own citizens (provided there is due cause) without having to contend with another government’s privacy laws. India’s draft Personal Data Protection Bill is an example of exactly this.

However, there are countries that prevent data crossing borders completely. For instance, Russia’s On Personal Data Law (OPD-Law) requires the storage, update and retrieval of data on its citizens to be limited only to data center resources within the Russian Federation, with no copies of the data permitted to cross the border.

These laws are often subject to an accusation that they use the mask of enhanced cybersecurity or citizens’ privacy concerns to conceal an underlying motivation of national protectionism. It is also claimed that it can obstruct businesses and governments from realising the full potential that data stands to offer.

Regardless of the debates surrounding the practices, teams must understand the importance of the differences between these three terms. Currently, the frequency and manner in which these terms are used interchangeably amongst businesses, and even other industry commentators, indicates a dangerously widespread misunderstanding. 

Recommended reading: 6 Strategies for Better Customer Relationship Management

Practical tips for managing data across borders

Addressing any confusion in your own business will allow you to identify the precise obligations that apply to you, and that will apply to your cloud service provider when assessing their capabilities to support you.  

As a starting point, try applying the above distinctions to these key questions about your own infrastructure:

  • Where are each of your various categories of data (personal data, financial records, etc) created or processed and what obligations might this bring?
  • Where is it then stored, and who owns the data center? Your data may be in a data center in the UK, but if this data center is owned by a US-headquartered company, then the US Government may have the rights to access your data under the CLOUD Act.
  • What are your procedures for back-up? Where is your data backed up to? According to the type of data in question, what local stipulations exist for the security or encryption of that data?
  • How confident are you in your cloud partner(s) understanding of current and future data privacy regulations? How have they evidenced that their data centers meet all your local and global privacy needs, or have you assumed it?

Recommended reading: How Small Businesses Can Protect Themselves Against Data Breaches

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, 19 November 2019
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips


Jill Holtz
2325 Points
Tena Glaser
1395 Points
Michael Lane
802 Points
Ron Immink
732 Points
Fionan Murray
721 Points
View Leaderboard