Nearly three-quarters of organisations held to data residency requirements

Most organisations must process data in their own country or region, according to a survey from WithSecure (formerly known as F-Secure Business).

The survey* polled over 3 000 IT decision-makers, IT influencers and top management from organisations in 12 different countries about a variety of IT, network and cloud security topics, including data residency of their organisations and their customers' data.

Thirty-eight percent of respondents said they’re required to process data in the same region they operate in, and a further 35% said they’re required to process data in the same country.

The importance of processing data within their region was more common in European countries, according to responses from Belgium, Denmark, Finland, Germany, the Netherlands, Norway and the UK. Respondents from France and Sweden were split evenly about whether data needs to be processed in their country or region.

Keeping data within their country’s borders instead of a region was more common in the US and Japan. On the other hand, in Canada (27%) and Norway (21%), processing data within their own countries was least likely required, highlighting the differences in data residency requirements even within regions.

While data residency obligations can be legal, it’s just as often viewed as a better way for businesses to operate, according to WithSecure Cyber Security Advisor Paul Brucciani.

“Managing risk to data privacy in different parts of the world is a headache for organisations. And people care more about how their data is used these days: how it is collected, processed and accessed is an important consideration regardless of local laws,” said Brucciani. “Ensuring data stays within a certain country or region is an effective risk management strategy and a potential selling point for organisations.”

In response to growing demand for services that restrict data flows to certain regions, WithSecure recently began offering clients of its Countercept managed detection and response solution the option of having the entire service delivered from European locations, making it easy for organisations to ensure the data stays in Europe.

And WithSecure is an active participant in several different research projects intended to strengthen Europe’s security infrastructure and spur technological innovation without relying on expertise sourced from other countries. These projects include SPATIAL – an EC-funded Horizon 2020 project under grant agreement No. 101021808 for developing trustworthy governance and regulatory frameworks for AI-driven security in Europe.

“One of the challenges surrounding data residency or anything connected with tech sovereignty is how to develop world-class technologies while limiting your sources to a specific location for better accountability and transparency. That’s why, in the European context, we need to mobilise the resources and expertise we have and unite ourselves against current and future technological challenges. That is what SPATIAL aims to promote in developing future AI-powered security systems,” said Dr Aaron Ding, Scientific Director & Coordinator for SPATIAL project.

More information on data residency is available at https://www.withsecure.com/en/expertise/resources/five-data-sovereignty-developments-how-to-manage-the-risk.

* Source: WithSecure 2022 B2B Market Research. Online survey with 3 072 respondents was carried out during May 2022 across 12 countries (UK, France, Germany, Belgium, Netherlands, Denmark, Finland, Norway, Sweden, US, Canada and Japan). Respondents were decision-makers or decision influencers in their organisations for purchase of IT, cloud or network security products and services.