What is data residency?

Data residency is the geographic or physical location of data. It can be identified by the country or region that houses the data centers, servers or other infrastructure that processes and stores data.

Planning and tracking data residency is an important task that helps ensure compliance with evolving data security and data privacy laws around the world. Since data protection laws often vary by jurisdiction, the geographic location of an organization’s data assets can determine which legal requirements apply.

Legal requirements range from rules on obtaining consent for data collection to time limits on data storage. In addition, some countries have data residency requirements for organizations operating within their borders: They mandate data localization—that data reside in a specific location, with limited or no data transfers allowed.

Enterprises are increasingly turning to software solutions to determine and track data residency to help ensure regulatory compliance. Such solutions monitor data flows between different locations, including across national borders, to ensure data doesn’t violate regulatory requirements in its various destinations.

To understand the importance of data residency today, it’s helpful to review the evolution of both data storage and data protections around the world.

In the early 2000s, modern cloud infrastructure and cloud services providers transformed the landscape of data management and data processing. On-demand access to remote servers meant that businesses were no longer limited to whatever computing power and storage was available on premises. Instead, enterprises could take advantage of data centers in different countries operated by cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud.

This cloud-based infrastructure offers rapid scalability and flexibility, as well as lower latency for use cases like edge computing (where computing resources must be located close to the site of data creation). As more companies incorporate AI workloads, data center use will only grow, with demand for data center capacity projected to nearly triple by 2030, according to 2025 McKinsey research.¹

As technological advances allowed companies to collect, process and store more customer data, governments began devising data privacy laws to protect consumers. The European Union led the way in governing data collection and protection, with the 1995 Data Protection Directive and then the landmark General Data Protection Regulation (GDPR), which took effect in 2018. GDPR set requirements for how organizations protect personal data and establishes the rights of EU residents, also known as “data subjects,” over personal data collection, use and possession.

Countries outside the EU, such as Australia, Brazil, Canada, China, India, Japan, South Africa and the United Arab Emirates, ultimately enacted data protections of their own. Today, nearly 80% of countries have data privacy and protection laws.²

In many cases, lawmakers’ data protection efforts also included data localization laws—measures that hinder organizations from transferring data outside of a specified region and require them to maintain data residency in that region. In addition to concerns regarding privacy rights, data localization supporters cited security and cybersecurity concerns: Sensitive data stored outside its country of origin could be harder for that country’s security agencies to access while potentially being vulnerable to foreign surveillance and data breaches by international crime syndicates.

Localization requirements have ranged from total bans on cross-border personal data transfers (as in Russia) to limits on transfers of certain types of data, such as sensitive healthcare data (as in Australia).³ According to McKinsey, three-quarters of countries have implemented data localization rules.⁴

The intersection of these trends—the growth of cloud computing and the development of data privacy and localization laws in different countries—made it critical for enterprises to know exactly where their data resides at all times. Organizations today are tasked with determining whether their growing data ecosystems, spread across data centers across the globe, meet compliance requirements in relevant jurisdictions. And determining which laws apply to which data assets means ascertaining and tracking the residency of regulated data.

Data residency and data sovereignty are distinct but closely related terms. While data residency refers to the specific location of data, data sovereignty is the principle that nations have legal and regulatory authority over data that is generated or processed within their borders. In essence, data residency is a geographic concept while data sovereignty is a legal one.

Data residency is often key to determining which country’s data sovereignty laws apply—and depending on the data flow, both residency and sovereignty of data may extend to more than one country.

For example, a US-based business must comply with GDPR requirements if it engages in data collection and storage within an EU member state. Because in this scenario, the data would have residency in that state, meaning the EU would have data sovereignty. If that business then transfers the data for processing by a SaaS app in Canada, the data would also have residency in that country. This, in turn, would extend data sovereignty to Canada and likely require adherence to its Personal Information Protection and Electronic Documents Act (PIPEDA).

The global landscape of laws and regulations related to data residency and data localization is a complex and evolving one, with some rules more restrictive than others. McKinsey researchers classify localization measures into four categories.⁵

• Mandates requiring data to be stored and processed in a specific geographic region, which ultimately requires enterprises to build or use local infrastructure in those jurisdictions.
  
  
• Regulations that allow the replication of data outside its original geographic region, while requiring a copy to remain in the original region.
  
  
• Regulations that require organizations to obtain consent from individuals to transfer personal data outside its original jurisdiction.
  
  
• Regulations that allow data transfers outside the original jurisdiction but require that measures are implemented to protect data privacy.

Different jurisdictions may include different requirements, with some applying only to certain types of sensitive data.

Businesses risk a range of consequences if they fail to track and manage data residency across their data stores.

Enterprises, especially those in regulated industries with cross-border data flows, are leveraging software to track data residency and ensure regulatory compliance in different jurisdictions. The most common type of solution is data security posture management (DSPM).

DSPM platforms locate data and track data flows across on-premises and cloud resources. They can find and classify sensitive data and identify risks of noncompliance to applicable regulatory frameworks. In other words, a DSPM can alert organizations when data stored or processed in a certain country isn’t being handled in accordance with that country’s laws.

Many DSPM solutions also provide step-by-step remediation instructions for resolving potential risks, allowing enterprises to address data residency and sovereignty issues before they turn into costly problems.