More and more countries are creating parameters about data localization. Every policy is a little bit different, with some a little bit stricter than others. Because of this, it’s increasingly difficult for organizations to keep up with the different requirements.
Yet it’s also increasingly necessary for a complete privacy program.
Without a clear picture of where your data lives across your environment and where it’s being processed, it’s impossible to comply with these regulations.
Data residency is the concept of keeping regulated data such as personal information within a particular region or country. Essentially, it’s the geographical location of where data is and isn’t allowed to live.
And it doesn’t just include where data is stored, but where it’s processed, too. For example, data collected in one country may not be permitted to be sent to a company in another country — even virtually — for processing.
The first step to making sure you’re following the rules when it comes to compliance with data transfer laws is taking an inventory of what data you’re collecting and where it lives.
Understanding the Flow of Information
Before you can determine if you’re following data transfer laws for a particular region, you need to understand if and where you’re transferring any personal information you collect or process.
Start with data mapping.
This process will help you understand exactly how much and what type of data you’re collecting. You’ll see how your organization uses it internally and with whom you’re sharing it.
Specifically, you should walk away with a data map that shows:
- Where you collect data, including physical and virtual locations
- What fields you collect
- Where you store your data, including physical and virtual locations
- What format you store the data in
- Who can access the data, both in your organization and outside it (third parties)
- How long you’re retaining data and how you erase it securely when you do
Because you want to see the relationships between the elements in your data map, create a graphic visualization. Data visualization will help you quickly identify any problem areas.
This exercise will help your privacy program shore up weak areas, improve disclosures, and stay in line with regulations. Most importantly in the light of increasing regulations about where data can and can’t be transferred, it will help you understand if you’re following the rules.
Request a demo: OneTrust Data Mapping
Data Transfers: Don’t Let Your Data Leave
Rules about data transfers — collecting or storing data outside the country of origin — can be set forth by companies or industry authorities. Most, though, are legal imperatives issued under specific privacy mandates from governing bodies.
These laws often state that organizations need to store and process data within the borders of the issuing country. You typically have to apply for the government’s or the individual’s go-ahead to earn the right to complete data transfers.
There’s an important reason why so many countries are making a big deal about data transfers.
They believe the ability to control how personal information is collected and used is a right each one of their citizens should enjoy. Without data transfer laws, organizations could potentially process data in locations with lax data protection laws. This opens up the potential for the abuse of personal information.
Get Started: OneTrust DataGuidance Data Residency
The GDPR is one of the longest-standing privacy laws. It concedes data transfers are allowed within its territory (the EU). However, all other data transfers must be made only to approved parties called third countries. Third countries have proven they have data protection laws that meet or exceed those of the GDPR.
Russia’s On Personal Data Law is stricter. Data about its citizens may only be stored, updated, and processed in locations inside the Russian Federation. Brazil’s LGPD takes a page out of the GDPR playbook when it comes to data transfers, mirroring it closely. However, it doesn’t even allow data processing related to the offering of goods or services to individuals in Brazil.
There’s lots of fine print in all of these laws about data transfers. And there are a lot more laws in existence and in process addressing the same concerns. Data mapping can help you understand which laws you need to hone in on when it comes to data transfers.
Conclusion: Turn to Automated Data Mapping
There are two ways to perform data mapping: manually and through automation. The manual option can be done, but you’ll face many challenges. Manual processes take a long time to execute, costing you plenty of man hours and opening up the risk that you can’t correct data transfer errors you may be making. By nature, manual processes tend to be fraught with mistakes.
On the other hand, automation solves all these problems. You can use a single system to see insights about where your data lives. It takes significantly less time and is almost completely error free.
OneTrust’s Data Mapping tool is an automated system powered in real time with data residency research. It’s designed to allow privacy managers to track where data lives and document cross-border data flows based on data residency and data localization requirements.