Have you ever thought about where your website's information actually resides? Many people think it doesn't make a difference, but it does. Some countries have stringent rules about where information can be held. If your website collects information about your customers, you may be required to maintain that information in a particular country or area. So let's distill that down into simpler terms.
Certain countries feel it's important that their citizens' information remain within their borders for privacy and security reasons.
For example:
• The EU's GDPR and Canada's PIPEDA have strict provisions on where personal information may be delivered.
• If your website collects information from someone in the EU, they require that the data remains in the EU, or meets transfer requirements that have been sanctioned.
Why? Because each country has their own laws regarding who can see or use personal data. Governments are attempting to fulfill their mandate to protect the privacy of their people and curb misuse.
Here are some examples:
• China: data must be housed in China, and subject to government evaluation
• Russia: personal data of Russian citizens must be stored in Russia
• India: certain sectors, such as banking, data must be stored in India
•EU: GDPR views data to be best stored either locally, or in an approved region
Therefore, if your website serves individuals located in these countries, you should be considering hosting solutions that follow their local data governing laws. Do not willfully violate these laws, as they may incur fines, restrictions on your website, or harm to yours and your company's credibility among customers.
• Know where your users are: If most are from Europe, put your web site in Europe.
• Choose a compliant host web site: Pick one with datacenters in the same region that meet GDPR or ISO 27001.
• Utilize tools to trace data: They can help you track what happens with your users’ data.
• Revise your privacy policy: Make it explicit to users when describing where their data is located.
Seriously, it is much better to take the road of least defense actively rather than trying to explain about it to a few regulators later.
What Is Data Residency and Why Should You Care
Data residency is the actual physical location where your website's information is kept - the country or region in which your servers are located. Think of it as your website's "home."Certain countries feel it's important that their citizens' information remain within their borders for privacy and security reasons.
For example:
• The EU's GDPR and Canada's PIPEDA have strict provisions on where personal information may be delivered.
• If your website collects information from someone in the EU, they require that the data remains in the EU, or meets transfer requirements that have been sanctioned.
Why? Because each country has their own laws regarding who can see or use personal data. Governments are attempting to fulfill their mandate to protect the privacy of their people and curb misuse.
When Your Website Data Must Stay Local
Some countries have what are called data localization laws. These laws stipulate that you must keep user data on servers that are physically contained within that country.Here are some examples:
• China: data must be housed in China, and subject to government evaluation
• Russia: personal data of Russian citizens must be stored in Russia
• India: certain sectors, such as banking, data must be stored in India
•
Therefore, if your website serves individuals located in these countries, you should be considering hosting solutions that follow their local data governing laws. Do not willfully violate these laws, as they may incur fines, restrictions on your website, or harm to yours and your company's credibility among customers.
How to Comply with the Rules with Less Effort
No need to worry — comply with the data rules is not as hard as it seems. Here are a few simple tasks:• Know where your users are: If most are from Europe, put your web site in Europe.
• Choose a compliant host web site: Pick one with datacenters in the same region that meet GDPR or ISO 27001.
• Utilize tools to trace data: They can help you track what happens with your users’ data.
• Revise your privacy policy: Make it explicit to users when describing where their data is located.
Seriously, it is much better to take the road of least defense actively rather than trying to explain about it to a few regulators later.
