Exploring the Maze of Data Sovereignty, Localisation, and Residency and a Four-Step Plan to Navigate It

While most businesses recognise the importance of data, few have mastered how to harness it as a true competitive edge. The potential is there—but turning data into actionable insights requires a deeper understanding of key principles.

Have you mapped out your strategy for leveraging data to drive your business forward? Before you proceed, there are three critical factors you need to understand:
Data sovereignty, data localisation, and data residency.

These terms often cause confusion, with overlapping meanings that can make them seem interchangeable. To clarify the distinctions and dispel any misconceptions, we turned to Geoffrey Coley, Regional CTO for Asia Pacific at Veritas Technologies, to break them down and explore their implications in-depth.

Understanding the Core Concepts| Data Sovereignty, Localisation, & Residency

To start, Coley broke down the distinctions between data sovereignty, data localisation, and data residency, providing a clear foundation for understanding these often-confused terms:

• Data sovereignty is the concept that data is subject to the regulations of the country where it was originally collected, granting individuals and organisations control over how their data is handled. This includes determining where data is stored, how it may be processed, and who has access to it. Hence, an enterprise that has data located in multiple countries must ensure they comply with the laws regarding data privacy in each country or risk legal, financial, or compliance penalties.
• Data localisation mandates that data be stored and processed within a specific country or region, adhering to local laws before any international transfer. It aims to store and process citizen or resident data within geographical boundaries to comply with local legal requirements. Examples of these laws are seen in the likes of the Health Records and the Critical Infrastructure Acts in Australia. Alternatively, legislation in both Australia and Singapore obligates that countries hosting the data of citizens will have at least comparable data protection standards.
• Data residency refers to the physical location of data storage, regardless of the country or region. Unlike data localisation, it does not restrict cross-border data transfer but requires data to be stored in a specific territory for a set period, ensuring accessibility under local legal processes when necessary.

Keeping these definitions in mind and their subtle nuances is a business imperative if organisations want to maintain data efficiently and safeguard it—all while avoiding potential penalties in cases of non-compliance with relevant laws and regulations related to these three. Complying with these mandates should be a bigger concern for organisations, in part because it can be very challenging and in part because more and more countries have passed strict laws on these three vital concepts.

“Countries have crafted more stringent laws on data sovereignty, data localisation, and data residency due to the growing complexity of managing cross-border data flows. As digital borders blur, businesses face the challenge of adhering to diverse international regulations. These laws emphasise the importance of rigorous data management practices to ensure that data is stored, processed, and transmitted in compliance with local regulations,” Coley pointed out in an exclusive interview with Data & Storage Asia (DSA). “By emphasising these principles, countries aim to protect sensitive information from unauthorised access and breaches, mitigate legal risks, and bolster operational security, all while navigating the complex landscape of global data governance.”

The Complexities of Compliance: What Makes It So Difficult?

However, compliance can be particularly challenging, as Coley highlights several common pain points that make the process even more complex than it initially appears:

• Difficulty in controlling where data resides and is processed. The widespread adoption of cloud and the fundamental nature of cloud computing—storing and processing data across multiple jurisdictions—makes it difficult to control where data resides and is processed. Cloud providers often operate data centres in various countries, complicating efforts to ensure data stays within a specific jurisdiction.
• Monitoring and managing data flow continuously. The rise in cross-border transactions, coupled with the dynamic and scalable nature of cloud environments increases the complexity of monitoring and managing data flow, along with the risk of non-compliance with national laws.
• Technological and logistical costs. Aligning IT infrastructure and data management practices with data sovereignty requirements can require businesses to invest in localised data centres or adopt region-specific cloud services to meet data residency and localisation mandates. This adds to operational costs and calls for ongoing vigilance to maintain compliance as laws evolve. The alternative to not doing so can also result in fines and loss of trust with clients. It’s a balance and beyond legislative requirements, organisations must take a controlled and risk-based approach to factoring how to move ahead.

Organisations need to endeavour past these challenges to ensure compliance because anything less would be bad for business in more ways than one.

“Non-compliance with data sovereignty, data localisation and data residency laws can result in hefty fines and legal sanctions. These penalties can be substantial, depending on the jurisdiction and the severity of the violation,” Coley warned. “Governments or regulatory bodies may initiate lawsuits against companies that fail to comply. This can lead to prolonged legal battles and additional costs. In some cases, companies that do not comply with data sovereignty laws may be banned from operating in certain markets. This can be particularly detrimental for global companies that rely on access to large international markets. Regulatory authorities might revoke licenses or deny permits needed for the business to operate within a jurisdiction.”

The Cost of Ignoring Compliance

It gets worse. Non-compliance, according to Coley, may prompt authorities to demand the erring party to move or delete the data involved, potentially disrupting operations and compromising productivity and efficiency. Violators of relevant laws may also be instructed to undertake costly data migration projects, invest in new infrastructure, or establish local data centres—all additional expenses that can possibly reduce a company’s bottom line.

Compliance is particularly critical for organisations handling sensitive or confidential data, Coley pointed out, as they are usually prime targets for cyber attacks and breaches. The healthcare industry, for instance, has seen a spike in cybersecurity-related attacks, with several healthcare facilities, including a private eye clinic in Singapore in 2021 targeted by threat actors.

Further complicating matters, according to Coley, are emerging technologies like Artificial Intelligence (AI) and Machine Learning (ML), in particular, as they bring associated risks—primarily the protection of personal data when it comes to training AI models—to the equation. These risks, in turn, are forcing the hand of governments worldwide to evolve their laws to further protect personal data and sensitive information.

“As these technologies generate and process vast amounts of data, they intensify the need for strict adherence to data sovereignty principles. For instance, the use of ML or AI model inherently creates a data sharing network within the organisation, underscoring the need for this data flow to be managed with the appropriate data sovereignty and compliance requirements,” Coley explained. Shorten with AI

“The growing reliance on AI is leading to divergent privacy laws and approaches in today’s global digital economy. The increase in risks associated with AI drives more rigorous requirements to protect personal data, while also striving to harness data for productivity benefits. Consequently, jurisdictions face a need to balance advancing digital transformation and addressing privacy concerns in transparent and sustainable ways, leading to varying and evolving mandates across different regions.”Shorten with AI

What Steps Can Organisations Take to Ensure Compliance?

Indeed, compliance is proving to be very difficult, but there are ways to overcome the challenges and complications outlined previously. Coley outlined to DSA four key steps to that end, which he said can help “strike the right balance in keeping data safe and sharing it to gain added value.” These steps are as follows:

1. Data classification. This allows organisations to apply different rules and technologies based on data sensitivity and the required sovereignty. Categorise the different provisions of the various regulations and create a map of the types of provisions and the jurisdictions to which they apply. Review all your data repositories to understand the nature of the data stored in each one. For example, data falling under strict regulatory requirements can be processed and stored differently from less sensitive information. Regular audits and compliance checks ensure ongoing adherence to applicable laws and help proactively identify and mitigate any potential issues.
2. Data protection solutions. Adopting data protection solutions with encryption capabilities is one of the best measures for enhancing cybersecurity posture. Encryption ensures that even if data crosses borders, it remains unreadable without the appropriate decryption keys, which can be stored and managed according to local laws. Geographic fencing uses technologies like GPS and IP addressing to restrict data access to certain locations while also ensuring data does not leave a specific jurisdiction.
3. Establish access controls. Define policies and implement technical controls to ensure that your data is processed in accordance with the regulations that apply to your organisation. Implementing data access controls guarantees that only authorised users can access sensitive information, reducing the risk of accidental breaches or non-compliance. Advanced monitoring and logging tools provide real-time visibility into data movements and access patterns, helping to swiftly detect and respond to potential compliance violations.
4. Adopt flexible cloud deployment models for backup and recovery. Having flexible cloud deployment models for your data backup and recovery lets you control where the service and data are hosted. A solution with a single-tenant deployment architecture that can be provisioned in your own or the provider’s tenant in any region where your data is located is ideal as it provides the best possible foundation for a secure environment with no chance of your data commingling or migrating across borders and accidentally running afoul of data sovereignty rules.

Business leaders will need to take note of Coley’s recommendations as data sovereignty, data localisation, and data residency requirements are bound to become even more stringent in the years ahead due to data’s growing role as a differentiator in today’s business landscape.

And as governments worldwide tighten the screws so to speak to protect sensitive data, organisations will need to be even more proactive and vigilant in terms of making sure they are complying with data sovereignty, data localisation, and data residency mandates—or else risk facing major penalties that could potentially send the business back in a big way.