Global Data Residency Regulations

Goals

To understand data residency inlcuding details on what it is, how it impacts businesses, market size, key drivers, the laws and regulations globally, consequences for not following the laws, key players in the space, and case studies on data residency in practice, in order to assist with a company evaluation.

Early Findings

  • The term data residency is often used interchangeably with two other terms, data sovereignty and data localization, but the three terms actually have different meanings. A simple way to describe it is that they are three levels of "how data privacy impacts cross-border data flows." Definitions for each are provided below, from least to most restrictive.
  • Data residency is where a business stores their data. This is typically chosen by a business for regulatory or business reasons, including for tax purposes.
  • Data sovereignty means that data is subject to the protections, and punishments, of the country where it is stored. The rights of the people whose data is being stored are determined by the laws of the country where the data is located.
  • Data localization is the most restrictive of the three concepts. This is the concept that data must remain within the borders of where the data was created, and it most often applies to data on citizens. In many cases this may simply mean that a copy of the data needs to stay in the country, but in other cases, such as in Russia, data on the citizens is not allowed to leave the borders of the Russia Federation.
  • Some states with the strictest data localization laws are Brunei, Indonesia, Nigeria, Russia, and Vietnam. In these cases, personal data on citizens must always be stored in the country.
  • The General Data Protection Regulation (GDRP) was enacted in the EU and explains how data must be handled there.
  • Partial data localization laws are in place in Belarus, India, Kazakhstan, Malaysia and South Korea. In these countries individuals must provide consent before data is transferred outside the country, and regulations only apply to certain domains.
  • In Argentina, Brazil, Colombia, Peru, and Uruguay have restrictions that only apply if certain conditions are met.
  • Finally, in Australia, Canada, New Zealand, Taiwan, Turkey and Venezuela, data localization only applies to certain industries, such as healthcare, finance, and telecom.
  • Currently, these countries appear to be the only ones with known data localization laws.
  • The type of data that is typically covered by data localization laws are name, address, phone numbers, credit info, photos, IP addresses, location info, political views, ethnicity, and more.
  • According to Markets and Markets, the enterprise data management market is valued at $77.9 billion in 2020, and is expected to grow at a CAGR of 9.5% through 2025, to a value of $122.9 billion.
  • According to Solutions Review, some key players in enterprise big data management are Oracle, Teradata, Microsoft, IBM, and SAP.

Summary of Initial Findings

  • In our initial research we were able to provide an overview of the data residency space including definitions of key terms, countries with data localization laws, the market size of the enterprise data management industry, and a few key players.
  • We did not have time to provide details on data laws and consequences around the world, or details on how these laws impact businesses. Due to each country or region having their own laws, this is a huge topic.
  • We also were not able to address the market drivers in the space or case studies of businesses that have addressed these data laws, either successfully or unsuccessfully.

Proposed next steps:

You need to be the project owner to select a next step.