What is Data Residency & How Can a Data Privacy Vault Help?

November 11, 2022

Businesses run on data, but managing and transferring data is becoming more complex as governments across the world define data residency requirements that restrict where sensitive PII, as defined by those governments, is stored and processed.

If you sell a product or service in multiple markets, you’ve probably encountered some regulatory barriers already. Scaling your company up and expanding into a new market means planning ahead and finding ways to meet these regulatory requirements.

What Is Data Residency?

Data residency is a central element of modern privacy laws. Simply put, it is a set of requirements that govern the location, control, and security of sensitive data that is collected or stored in a particular country, state, or region. From a user perspective, it is typically embodied in pop-up warnings or requests for consent to collect user data. From your perspective, it is a set of technical requirements that your business has to meet to collect or use data in or from a new region. 

There are a growing number of data privacy laws and regulations which define data residency requirements, including the General Data Protection Regulation (GDPR) in the European Union, Brazil’s General Data Protection Law (LGPD), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). There are similar laws on the books in nations such as Australia and Korea, with more cropping up each year. 

While some of these laws don’t have specific storage or processing requirements around data, they all govern sensitive data collected within those regions. For example, GDPR doesn’t require you to store data collected in the EU within the EU, but it does require that any sensitive data stored elsewhere is transferred only to a location that has regulations substantially similar to GDPR.

For Sensitive Data, Borders Matter More than Ever

As the above example indicates, getting and staying compliant with data residency requirements can get very complicated, very fast. For example, entering a new market requires that you research any current or future legislation, build the legislative requirements into your product or service, and make sure that any sensitive data is being stored and processed in a compliant manner (and in a region that meets those residency requirements). Not only that, but you’ll have to do this for every jurisdiction where you do business. 

This can become especially difficult if you have a product or service that anyone can access or purchase from anywhere, such as a smartphone app. Not meeting the requirements of a particular piece of legislation could freeze you out of that market, stymieing growth and potentially damaging your reputation. It could also impact your brand reputation in other markets.

And even in cases that are less complex than supporting a global smartphone app, compliance can be very challenging. A simplistic approach to data residency compliance where you geo-duplicate your architecture in each region where you face data residency requirements is expensive, hard to maintain, and lacks support for global analytics.

The following shows a geo-duplicated architecture for a company that operates in the EU and Brazil:

A Geo-Duplicated Architecture That’s Costly, but Doesn’t Support Global Analytics

Data Residency: A Continuous Challenge

But costs, maintenance, and analytics are just the start of the data residency issues you’ll face with a geo-duplicated architecture. Let’s say you’re marketing your products in multiple countries, collecting data that is protected in some regions and has local data storage requirements in others. If you’re already in multiple markets, this is probably a familiar situation. You have to devise a way to meet the protection rules for data you collect in all markets, while ensuring that you store that data within the regions that require local storage. 

What makes this so challenging is the fact that modern cloud storage solutions aren’t typically set up with the level of granularity or storage flexibility needed to support this. You probably set your system up in compliance with the laws of your company’s “home” market, building pipelines that store all data in a single database or data lake in a cost-effective local datacenter, in compliance with local laws. 

However, routing everything into the same data storage system isn’t going to work any more — some of that data needs to stay in the region where it was collected, and some of it needs to follow particular encryption, redaction, or anonymization rules. 

Geo-Replication Has Serious Limitations

As shown above, you could roll up your sleeves and replicate your datacenter infrastructure in each market, setting up localized rules, storage procedures, and security measures, seeking out the most cost-effective data storage in each country or region, and ditching the simplicity of a single data storage solution for multiple purpose-built architectures in each current and future market. But as you might have already guessed, this approach likely causes more problems than it solves.

While a geo-replicated architecture lets you operate in the markets where you’re already operating, expanding into a new market (even with just a single customer) requires new data center infrastructure, possibly with a unique architecture. And each local datacenter could require tweaks and adjustments as laws change. Making this even more complicated is the ‘federalization’ of data privacy laws, with unique laws being written and enforced that span multiple countries, a single country, a single state within a country, and possibly even smaller jurisdictions, like counties and cities. 

Meeting the Data Residency Challenge with Skyflow Data Privacy Vault

Skyflow Data Privacy Vault combines the essential elements of each approach, allowing you to centrally store all the data you collect while giving you granular control over where the data goes, what it is used for, how it is secured, and where it is stored. By storing all of your data in the vault, you ensure that it is encrypted in transit, at rest, and in memory, meeting legislative requirements without limiting the usability of the data. 

Our advanced data governance engine allows you to easily manage the complexity of multiple data residency laws, giving you highly granular control of each piece of data. Social security numbers or other government IDs collected in one country might require full redaction, while only partial redaction might be required in another, but you can easily account for this using Skyflow’s policy-based access control model (PBAC).

Finally, you can host one or more vaults anywhere in the world, allowing you to meet multiple residency requirements, set unique rules, and future-proof against legislative changes. Rather than building a unique datacenter architecture yourself in each new market, Skyflow gives you all the tools you need and keeps the data you collect where it needs to be, all while allowing you to use that data for insights and internal functionality. 

Centralized Architecture with Local Data Privacy Vaults and Tokenization

But, what about if you already integrate your services using MuleSoft Gateway? Skyflow has this scenario covered as well.

Use Mulesoft’s Skyflow Connector to Ensure Data Residency Compliance

If you integrate services with MuleSoft Gateway, you could use that as part of your data residency strategy. Let’s assume that you work for a medical diagnostics company with an app that’s deployed to the EU and US, with some region-specific configuration that occurs during installation. 

Your company needs to ensure that PII collected from EU residents stays in the EU and PII collected from US residents stays in the US to meet various data residency requirements, including those in GDPR. The following diagram illustrates how this data residency solution works: 

Apps in Multiple Markets Use MuleSoft and Skyflow to Ensure Data Residency

To meet data residency requirements for the sensitive PII that you’re collecting, the first step is to deploy Skyflow vaults in multiple geolocations, in this case in the EU and in the US. Your Mule app running in MuleSoft Gateway can then use multiple Skyflow Connector instances to store PII where it belongs, in a Data Privacy Vault that shares the same geolocation as the customer.

Learn More

Whether you are gearing up to enter a new market or already juggling data residency laws, Skyflow Data Privacy Vault is an effective platform to help you meet any current or future legislative requirements. In fact, you can use Skyflow to protect sensitive data in Large Language Models (LLMs), so you can harness the potential of generative AI without sacrificing data privacy.

If you’d like to learn more about how Skyflow can help you, join us to learn more about How a Data Privacy Vault Simplifies Data Residency. Or, contact us for a Skyflow demo.

Keep Reading

No items found.