In the wake of the GDPR, data privacy and localization are a top priority for organizations operating in the European Union. However, the data localism trend extends beyond the EU and can have big implications for organizations with cross-border matters and plans for international expansion.
The prospect of setting up, vetting and securing in-country data centers while maintaining compliance with local privacy and residency requirements could be enough to deter an organization’s expansion into new markets. It raises additional challenges when an organization’s existing compliance, investigative and audit tools must be replicated for disparate national data centers.
Data localism can be described as a government policy requiring data to be stored within a specific jurisdiction. Most notably, the EU, China, Russia, South Korea and others have enacted data localization rules requiring specific data categories to be stored within country borders. Data localization laws aim to protect citizens’ data from being disseminated across the globe, while keeping that data accessible to the government in the event of an investigation or crime.
Multinational organizations face an evolving challenge in maintaining a cohesive global data infrastructure while segregating datasets to be compliant with national laws. There are several key guidelines to keep in mind when navigating data residency requirements.
Know your data. Privacy and residency requirements for each country can cover an array of data categories. Most data localization laws focus on personally identifiable data (names, addresses, emails, etc.), but countries may also have requirements covering payment, financial, health, credit and spatial data. Therefore it is critical that organizations understand what kinds of information are retained in their data centers. What may sound straightforward when thinking about specialized databases managing categories of information can become more complex when one considers the types of information employees might email or save to out-of-country servers. Organizations should carefully log and document the locations, systems and users with access to datasets covered by data residency laws. This will provide a comprehensive understanding of where potential exposure lies. These logs can also be used to perform periodic scanning and monitoring of email and shared drives that might serve as intentional or unintentional methods of moving protected data out of country.
Employee awareness. Navigating and understanding data localization requirements around the globe can be a challenge for CIOs and data architects. Multinational organizations cannot expect their employees to be up to date on the data residency requirements for each country they interact with, so training and awareness is critical. Even the most compliant data infrastructure can easily be circumvented by an analyst unwittingly downloading a customer report and saving it to a shared drive hosted overseas. Organizations must ensure employees are aware of a) what data is protected by data residency laws so they can be extra vigilant, and b) where various employee resources such as email, shared drives, SharePoint, FTPs, etc., are actually hosted.
Leveraging the cloud. Many times the fastest way to set up data hosting and storage in a region with data residency requirements is to use an in-country cloud provider. These providers have built their business offering cloud solutions compliant with local regulations and requirements. This can shift some of that onus to a third party. However, organizations should carefully confirm the security and privacy of the cloud provider they choose. One critical component is ensuring the encryption used by the cloud service provider meets the level required for the sensitivity of the data. It is important to have accurate documentation on the security, encryption, and access controls used by cloud providers so it is clear how these compare and comply with the organization’s data center requirements.
Analyzing disparate data. Organizations have been trending towards centralizing and aggregating data systems to reduce redundancy, increase access and standardize processes. Aggregated data can provide simplified global access, analytics, audit checks and compliance monitoring systems. Data localization requirements force organizations to fragment components of systems, which can impede centralized analytics and monitoring capabilities. Organizations can tackle this problem by replicating certain audit or compliance processes in local data centers. Additionally, protocols can be used to unify key components of disparate datasets by using anonymized data points related to protected data. For example, sales can be globally analyzed by customer ID without including protected details like customer name or address. Many times the critical components for investigation, key performance indicators and audit analysis do not rely on protected data categories. Identifying and unifying subsets of localized data can provide organizations with global oversight, while still complying with data residency requirements.
The era of data without borders is closing and the trend of data localism will continue to expand. Organizations should have frameworks in place for how to handle operations in territories with data residency requirements. The benefits and flexibility offered by in-country cloud service providers make expansion into new countries less daunting. However, organizations must still actively manage their compliance with data privacy and localization regulations.
Allison Griffin, pictured above, is a Director with Control Risks’ Compliance Forensics, and Intelligence team specializing in data analytics. She has experience supporting clients with data management and analytics expertise related to FCPA investigations, regulatory inquiries, and compliance monitoring. She leverages data analytics to identify, evaluate, and minimize risks for global clients facing complex challenges. She can be contacted here.