Data Residency: insights on where to store the personal data you collect
Data Residency: where the home for your data is.
Data Localization: a business choice or a legal obligation?
We live in a world where information can travel across borders within a heartbeat. Yet, if it can be rendered anytime anywhere, it has to be stored somewhere at some point.
Finding out where that somewhere should be can be quite a puzzle to solve. Preferably, you want it to be safe, compliant, as well as economically interesting. But mostly, finding the right location for storing valuable information is a legal conundrum that you will have to solve carefully. Especially when managing the personal data of users from various nationalities, as each country poses different geographic limitations as regards to data residency.
The challenges of finding a Safe Home for Your Data
Organizations might think that this is an easy task. But at a time of global data exchange and the multiplication of data privacy laws, choosing the right place for storing personal data is becoming increasingly challenging.
Depending on their business location, companies will have to address different legal requirements. Depending on the place of residence of their users, different expectations. And depending on the data they collect, even additional constraints and limitations. So how to keep up with all that?
#1 Address the legal requirements of your business location
One of the first things companies should consider when thinking about data storage location is where they are located and which data-related laws apply to their location.
Specifically, two things have to be checked: first, the scope of the law, which determines to whom, to what and where the law applies. Second, possible additional provisions such as the ones in the chapter 5 of the GDPR addressing the “transfers of personal data to third countries or international organizations”. Based on these indications, you will be able to get a first idea of what can be done or not within the borders of your country.
#2 know everything about your users’ location and their data
Another parameter to be taken into account when resolving the issue of data residency is the place of residence of the users and the type of data about them that are being collected.
Mostly, because some legislation defines their scope of application according to users’ location (like the GDPR). But also, because users are now more aware about data privacy and start to have higher expectations as to where their data should live. Besides, depending on the data collected, some additional constraints might be added by regional regulatory authorities, like the HDS Certification required for health data hosting in France.
#3 check the laws surrounding your third-parties’ location
Now for economic reasons, some companies may be tempted to have their data stored in a country that is neither that of the company nor that of their users.
Nevertheless, such decisions should be made wisely. The recent Shrems II judgment of the EU Court of Justice (CJEU) is a good example of why transferring data to a third-party country might be problematic as regards to users’ data protection rights. In particular, companies should consider the issue of having personal data transferred within the borders of a country where the law provides government access to these data.
So where is it, the “right” place for your data? Is it in the EU? the US? Or maybe a little bit of both? Choosing a data storage location should not be a matter of choosing a good compromise for all the data, but choosing the right location for each data separately, so that each user can feel secure about his or her data place of residency. So maybe, the “right” decision might be giving the users a choice as to where their data should live?
Now how can we help you with that? Companies can use Pryv.io’s decentralized design to individually store the personal data they collect according to their users location.
Take a peek at our solution: Pryv.io’s Regional data hosting distributed model.
Pryv.io is a personal data lifecycle management platform specifically engineered to empower businesses to rapidly create and scale breakthrough, privacy compliant products.
With Pryv.io, companies can easily store their data into a distributed environment to enable local (on- premise/per choice) Regulations Compliance, and even create installations that span the globe and co-locate the data with the users’ legislation.
Indeed, with Pryv, all data is kept per-user, making it very easy for our customers to redirect each data to a distinct server according to their users’ geographic locations. Based on a powerful distributed model, users are distributed among servers with no global bottleneck.
Each user account can be then stored on a different server, which can be located anywhere. The capabilities are set by the infrastructure in terms of bandwidth and storage. The architecture is designed according to the client’s needs.
Thanks to Pryv recent partnership with Euris Cloud Santé®, we also provide a complete data storage and privacy back-end solution. In France, companies can efficiently meet both french HDS and data privacy and residency requirements.
Learn more about our different offerings: Pryv + Cloud Santé® PRIVACY
Stephanie & Evelina @ Pryv