Data Residency - Need to Close the Borders for your Data?
While GDPR dictates no strict requirements for the geography of data processing, some organizations are still subject to data localization laws. Either way, it is good practice to take a closer look at your data processing beyond national borders. If for no other reason than because someday you may need to document the geography, or even to close the borders entirely.
With GDPR, organizations are becoming more aware of their entire data protection chain – not just frontend, networks and applications, but security systems and backups as well.
Data localization laws already apply to some industries within critical infrastructure, finance and healthcare, and within the public sector there is also a growing interest in limitations to data residency.
Even though GDPR legislation does not say much about it, an increasing use of cloud and SaaS solutions makes data residency a relevant issue.
Not as straightforward as it seems
Data residency refers to the geographic location where your organization’s data is stored. But data residency is not as straightforward as it seems. The tricky part? It all has to do with access.
As long as your organization’s employees process your data within the same country where your data is stored, compliance is easy. But in today’s globalized world, important tools like virtual access and third-party access can break the residency chain.
Virtual access: Let’s say one of your employees is located in another country and they access data that your organization stores in Denmark, for instance to provide customer service. That data has effectively crossed the Danish border, which means that your organization can no longer claim “data residency” in Denmark.
Third party access: Another issue is if your organization outsources data processing or gives third parties access to its data. This, too, is considered data transfer that breaks the residency chain. For instance, if a Danish company utilizes a service desk platform located in the US, they in fact unwittingly process data abroad.
And to make matters worse, even payment processing functions are subject to the “data transfer” issue.
Moving toward national cloud services
Some countries stipulate the use of national cloud services, which means that public data must always be stored within national borders. One example is the “Bundescloud” in Germany, but Sweden, Norway and the EU are all currently developing or discussing national cloud service regulations.
How does B4Restore process data?
In B4Restore’s capacity as data processor, we give you the option to solely utilize our own data center facilities located in the same country as your organization. We can do this, because we have multiple data centers located throughout the Nordics.
Furthermore, we never use third-party suppliers in connection with data processing, and third parties never have access to the data that B4Restore processes.
- You retain full control of your data, making data migration easier and ensuring you have an exit plan.
- Your data is protected by true separation of duties, meaning no single person or group within your organization can access both your primary data and your backup.
- Our national hybrid-cloud solutions are ISO27001-certified, making compliance easy.
- Zero third-party involvement in data processing in our services.
Note on backup of your cloud data: There are still good reasons for keeping your backup in a Backup-as-a-Service solution, especially if your primary data is stored in a multinational cloud service. For one, it serves as a smooth, built-in exit strategy should you wish or need to migrate to other cloud services at some point.
Get in Touch
Want to learn more? We’re always ready for an informal conversation, contact CCO Jesper Juul: