Payments Blog • 7 MIN READ

Data sovereignty vs data residency: What’s the difference and why does it matter?

IR Team

Written by IR Team

The terms ‘data sovereignty’ and ‘data residency’ can be a source of confusion for organizations who manage data across borders, particularly with the rapid adoption of cloud computing.

It’s important for businesses to understand the differences in these terms, and how they impact their data – and ultimately, their business operations, especially with the global adoption of the hybrid work model.

In effect, data sovereignty and data residency are part of the same basic concept, which is the way data privacy impacts cross-border data flows. Those businesses who handle international data must ensure that data privacy isn’t compromised when shared in other countries.

Additionally, understanding the legal requirements of storing data in a specific country is fundamental to legally satisfying data privacy and security standards.

What is data sovereignty?

Data sovereignty refers to the laws and governmental policies applicable to data stored in the country where it originated and is geographically located.

For example, in Canada, the Canadian Consumer Privacy Protection Act (CCPPA) gives consumers control over their data and promotes greater transparency about how organizations use data containing personal identifiers.

And Australia’s Privacy Principles (APP) legislate that personal data kept in Australia must meet the thirteen standards on how data is collected and used.

What is data residency?

Data residency refers to the decision of businesses to store data (away from its origin) in another location and authority. It means that once data is moved, stored and processed within a particular region it is subject to the laws, customs and expectations of that specific region.

For example, what may be deemed the acceptable use of personal information in Europe, could be controversial in California. To avoid data residency compliance issues, users need to conduct data mapping – that is, understanding what data you have, where it’s located, and the data residency policies for each respective location.

Additionally, cloud users need to carefully review their Service Level Agreements (SLAs) with cloud providers to establish exactly where their data can and cannot be moved, stored or processed.

DS DR image 1
Image source: TechTarget

In summary, data residency refers to where the data is physically and geographically stored, while data sovereignty is not just about where the data is stored but also about the laws and regulations that govern the data storage at its physical location.

Data security

The ‘three states of data’ is a term used to categorize structured and unstructured digital data. The three states are:

  • Data at rest
  • Data in transit
  • Data in use

Understanding their characteristics can help organizations manage and secure sensitive information.

Data at rest (stored data)

Data at rest is data that is not actively moving between devices or networks, such as archived or stored data. One of the primary things for businesses to consider is how and where this data is stored, for example on-premise, or in the cloud.

As some cloud providers may not provide the option for customers to select the regions where they’re storing or backing up data, organizations need to clarify where exactly their data will be stored, and the regulations relating to that location.

Data in transit (Data in motion)

Data in transit is actively moving from one location to another as it passes through the internet or a private network. As data in transit is considered less secure while in motion, in any industry it’s crucial that this data is protected wherever it’s moving.

Data in use

Data in use actively moves through parts of an IT infrastructure as it’s being updated, accessed, read, processed or erased by a system. Because data in use is directly able to be accessed by multiple users, it makes this type of data most vulnerable.

DS DR image 2.png
Image source: Security Boulevard

Unprotected data, whether at rest, in transit or in use can leave organizations open to attack, so it’s vital to have robust data protection measures in place across the board. One of the most effective data protection measures is data encryption. Organizations can use data encryption tools to protect data from unwanted access, while ensuring data residency compliance.

Read our comprehensive guide to P2P Encryption

The growth of data sets

Globally, there are over 7.2 million data sets, and the industry is growing rapidly. Data s handle the backup of data, networking, website hosting, security and email management.

The country with the most data centres by far the United States with over 2,670. This is followed by the U.K., with 452, Germany with 443, China with 416 and The Netherlands with 275.

Organizations may choose to store their data in a cross-border data for reasons such as different tax benefits, but this data is then subject to the privacy laws of that country. This may cause conflict if these laws are different from the country where the organization is based.

Organizations that reside in places like Canada, Australia and Europe are increasingly demanding that their data remain outside of the United States, and preferably within their own country of residence.

Choosing where your data resides

When deciding where and how to store their data in the cloud, organizations should balance their need for efficiency and competitiveness with data residency and privacy implications. Too many restrictions with keeping data in one location could impact innovation. However, a free approach to moving data across jurisdictions is also risky.

Thoroughly investing best practices could help your organization boost your digital transformation efforts while mitigating data residency risks.

Topics: Banking Finance Payments Transact Security Real time

Subscribe to our blog

Stay up to date with the latest
Communications, Payments and HP Nonstop
industry news and expert insights from IR.

We're committed to your privacy. IR uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our privacy policy.