It pays to know where your data lives. And for some industries and countries, it’s mandatory. So, the question is: what is data residency and why should you and I care about it?
Get the scoop on how GDPR and other regulations underscore the value of keeping your data close to home — and the related benefits that go beyond compliance.
Data residency has become one of the big (but important!) things businesses have to think about, so let’s go Ask Dux!
In today’s episode:
What is data residency?
Think about your stuff in the office. You know where your things are. You know where your computer is, your desk chair, your coworkers. But what about the actual data that you work with on a daily basis? You might not know where that goes in the cloud, and certainly, that is tied into the geographic location as to where it’s stored.
When we talk about data residency, we’re talking about the storage of personal information within a particular region where the data is processed, which is also in accordance with the laws of that particular geographic destination.
Why is it important?
In the past, prior to the cloud, organizations pretty much took care and kept their own data, especially back in the days of on premises. A lot of the providers and organizations themselves are responsible for the personal information they hold.
But today with the cloud, in some cases, we don’t know where the data is physically stored. And so, there are a lot of concerns — especially by government organizations — about how it’s being used, and that this data may not be well protected.
There are general cybersecurity concerns, especially about government requests. There are situations where governments want to make sure that data sitting in their certain geographies or residency are well protected. Some governments even mandate data residency requirements as an extra layer of security, especially if you’re a government organization.
Hence, that’s why it’s no surprise providers like Microsoft or Amazon, or even Google, have local data centers. And not just local data centers, they may have data centers specific to that government.
General Data Protection Regulation (GDPR): The gold standard of data regulation
GDPR is a data compliance standard that was established in Europe. It was one of the first sweeping standards around protecting personal information.
There’s a lot of guidelines and rules around it, but essentially, what it says is: any organization that has access or that’s keeping personal data of any European citizen should protect it to a certain standard. If it so happens that that information is breached or something happens to it, that organization or that government entity will be held liable and responsible for it.
They lay out guidelines on how organizations are supposed to protect personal information of Europeans. That’s the general idea around it.
There’s also a lot of consideration around it. For example, one common thing that we now see a lot is the ‘right to forget’. Let’s say you work for an organization and you’re a European citizen and you leave your employer. You can actually ask your employer to get rid of any personal information that they have around you. Not just your record—it could be emails, chats, documents.
So, there’s a lot of these guidelines. And shortly after GDPR, there’s a lot of other compliance regulations that came up like the CCPA (California Consumer Privacy Act). We are also seeing a lot of similar guidelines that are coming out as well, such as in South America.
How should you comply?
GDPR is very strict, and enforcement is very strong. We’ve already seen a lot of companies being fined up to 20 million euros—roughly around 20 million US dollars depending on the exchange rate.
What needs to happen is, organizations that need to comply with this not only need to put all these policies in place, but also make sure that these policies are being enacted. And they need technology for that.
For us at AvePoint, we do have technologies and capabilities to help these organizations comply with GDPR and make sure that data is protected. And if you get audited, you can prove that you’re complying with GDPR.
Complying with data regulations the right way
It begins with data mapping: understanding what data you have and where it’s located.
Especially now where a lot of organizations may be global, you may have colleagues and employees in different parts of the world. If it’s spread out like that, you need to analyze what applicable laws and regulations you need to comply with and what are some of the associated risks.
Basically, you need to proactively control your data location, calculate risks, and take actions required to minimize unwanted data exposure and inappropriate access. Long story short, be more proactive about it, know what the policies and guidelines are, and as best as you can, enable technology to support those guidelines and make sure that you comply with it.
Join us on your GDPR journey: GDPR | EU General Data Protection Regulation | AvePoint
GDPR Compliance: Why Multi-Geo Tenancy Matters (Case Study): GDPR Compliance: Why Multi-Geo Tenancy Matters (Case Study) (avepoint.com)
Check out Forrester’s New Wave SaaS Application Data Protection Q4 2021 report where only AvePoint received the highest possible score for multi-cloud SaaS backup criteria. Get free access to the report at avepoint.com/report.
Don’t forget to send us your questions on Twitter with a hashtag #AskDux or send us an email at firstname.lastname@example.org.
Subscribe where you get your podcasts! Search for “#ShiftHappens” in your favorite podcast app.