Research article

Data residency, sovereignty & localisation

Data governance has significant implications for the data centre industry. Hence it is important to understand and distinguish the three concepts of data residency, data sovereignty and data localisation

Data residency, data sovereignty and data localisation are terms that often bring confusion for businesses managing data across borders. Yet, with the rising popularity of cloud computing and Software as a Service (SaaS) solutions, these three concepts need to be clearly distinguished and considered cautiously.

Data residency is where a business specifies that their data is stored in a geographical location of their choice for policy reasons, frequently to take advantage of a better tax regime. Data residency usually implies that a certain amount of data processing is done within the chosen country’s borders.

Data sovereignty refers to the country’s laws where the data is stored. In the EU, the General Data Protection Regulation Act (GDPR) law became applicable to all member states in May 2018. The main goal of the law is to protect the EU’s citizens’ privacy and information. Hence, GDPR rules apply to all companies (including non-European ones) that have data from organisations or people residing in the EU. Additionally, the GDPR provides for the free flow of non-personal data within the Union to enhance the competitiveness of its digital economy. Importantly, it also allows for the flow of data to third-party countries if the receiving country’s laws comply with the GDPR’s rules.

Data localisation is the most stringent concept of the three. It refers to legal obligations requiring that data created within a country’s borders remain in situ. With GDPR opening the data market within the EU, a very small amount of data is concerned by data localisation obligations. Yet, depending on data subjects (finance, health, telecoms), some EU members have their own nation-specific legislation, which heightens complexity for data centre operations.

How does data governance impact the data centre industry?

To compete for data sovereignty business, cloud and SaaS cloud providers need to offer multiple data centre locations based on local regulatory requirements. Over time, this has enabled an improved footprint of non- European cloud providers in the EU and somehow, a more widespread distribution of data centres across the region.

However, for developers and operators, imperatives imposed by nation-specific legislations do not necessarily fit the specificities of the data centre business model, including good connectivity, availability of energy (notably green energy), construction costs and land usage to name a few.

Taking a hybrid data storage approach can solve many of the challenges posed by data sovereignty. Organisations with their own private on-premises environments or using national data centre facilities overcome these challenges without losing the benefits of cloud services. Yet, the multiple data storage solution comes at a higher cost.

In spite of the GDPR tending to unify data laws across the Union, some European countries have their own nation-specific data legislation. This lack of cohesion brings complexity and legal costs for data centre operators for which obligations and liabilities are increasingly engaged. Organisations can be fined up to 4% of annual global turnover if they break the GDPR.

Read the articles within Spotlight: European Data Centre below.

Other articles within this publication

6 other article(s) in this publication