Do you know where your cloud data resides?

BUI Modern Work Specialist Dirk Prinsloo explains why it’s imperative to know where your cloud data resides – for the sake of security and compliance.

Johannesburg, 04 Aug 2023
Data residency requirements vary from country to country.
Data residency requirements vary from country to country.

The rapid advances in cloud computing have made it easier than ever for businesses to store their data almost anywhere in the world – but this convenience has also raised a number of questions for enterprise stakeholders… Where, precisely, is digital information kept? How is it secured? And are there legal, regulatory or privacy issues to consider when it comes to data in the cloud?

“Data residency and data sovereignty can be tricky topics to navigate,” says Dirk Prinsloo, Modern Work Specialist at BUI South Africa. “There’s a lot of confusion about these terms because they’re used so interchangeably. They are related, but they don’t mean the same thing. It’s important for the public – and for cloud customers in particular – to understand each concept so that sound decisions can be made regarding data processing and data storage.”

The difference between data residency and data sovereignty

Data residency refers to the defined geographic territory where a company stores its data. The actual location may be stipulated in local, regional or national legislation; in sector regulations or industry standards; or even in the terms and conditions of a business contract.

“It’s about boundary lines,” observes Prinsloo. “It’s about the specific place where data is housed and retained. For a South African company serving South African customers within South African borders, the parameters are pretty clear. But for an international brand with offices across the globe, it can be a complex landscape.”

Data residency requirements vary from country to country. They typically apply to all business and customer data, but they can also be limited to certain types of information – including personal data (like someone’s name or gender), medical or healthcare data (like patient records from hospitals), or financial data (like a buyer’s credit card number or a company’s accounting statements).

“To put it simply, data residency is the ‘where’ of business data,” explains Prinsloo. “Where does it go after it’s been gathered? Where is its permanent, physical home? Where can it be found and retrieved, when needed? Data sovereignty, on the other hand, concerns the laws and policies that govern data because of the real-world site where it is collected, processed or preserved.”

The geography of data

While geography is a factor in both instances, it’s especially relevant in discussions about data sovereignty, continues Prinsloo. “Let’s say, for example, that I’m running a business in Rome and I’m keeping business data within Italy’s borders… That data is then subject to Italian rules, so to speak. I’m obligated to manage it in accordance with Italy’s data legislation, and I can expect to be protected – or punished – in line with the country’s legal provisions.”

In a one-enterprise-with-one-place-of-business scenario, data sovereignty matters are relatively straightforward to deal with, notes Prinsloo. Things get complicated, though, when corporate activities span more than one geographical or political zone.

“If I decided that one branch in Rome wasn’t enough, and I wanted to expand my Italian company into nearby Austria and France, then I’d have to consider the consequences of doing business in two new locations. I’d have to investigate the data sovereignty implications of gathering and storing data in those countries, subject to their individual laws as well as the decrees of the European Union bloc to which they belong.”

The global focus on data protection and compliance

While the European Union’s General Data Protection Regulation (GDPR) is among the globe’s most well-known data laws, it’s certainly not the only one. More than 130 countries have legislation in place to help safeguard the integrity, privacy and security of data. From the Privacy Act in Australia to the Protection of Personal Information Act in South Africa and the Data Protection Act in Spain, governments worldwide are mandating information protection.

“For business organisations, the current environment is something of a tightrope,” remarks Prinsloo. “They have access to sophisticated cloud technology, with virtually unlimited possibilities for growth and innovation, but they have to tread carefully because they’re also confined by data residency and data sovereignty requirements. In order to protect the data in their care, they need to know where it is and how it is managed – and that means choosing a cloud provider who understands the importance of data security and operational transparency,” he says.

The way of the Microsoft Cloud

Microsoft has decades of experience helping enterprises keep their data private and secure, while also enabling them to comply with relevant rules and regulations. “There’s a reason why Microsoft is consistently recognised as a cloud leader,” explains Prinsloo. “The company leverages a strong set of policies and technologies to give customers the most robust options for managing, controlling and protecting their cloud data.”

The Microsoft Cloud complies with over 100 national, regional and industry-specific requirements, including ISO/IEC 27001 (for information security management systems) and ISO/IEC 27017 (for information security controls), as well as the NIST 800-53 cyber security standard and compliance framework developed by the National Institute of Standards in Technology.

“It’s a lot of acronyms to remember,” says Prinsloo. “But in practice, what it means is this… The Microsoft Cloud will meet the privacy, security and compliance needs of most enterprises. That’s a compelling proposition for anyone looking to modernise their business, but specifically for those with data residency and data sovereignty commitments – because a cloud provider that handles your data responsibly, securely and transparently can be a true compliance partner, too.”

Start your cloud journey with certified experts

BUI is a Microsoft Azure Expert MSP and Microsoft Solutions Partner for Business Applications, Data & AI, Digital & App Innovation, Infrastructure, Modern Work and Security.

With 10 Microsoft Advanced Specializations in solution areas including Cloud Security, Identity and Access Management, Information Protection and Governance, and Threat Protection, BUI is a trusted technology partner to mid-market and enterprise-level organisations across the world.

Let’s talk about a cloud-powered cyber security solution to protect and defend your business data.




BUI is an award-winning IT consultancy delivering security solutions and specialised cloud services to mid-market and enterprise-level customers worldwide.

Founded in 2000, BUI is a Microsoft Azure Expert MSP, a member of the Microsoft Intelligent Security Association, and a Microsoft Solutions Partner for Business Applications, Data & AI (Azure), Digital & App Innovation (Azure), Infrastructure (Azure), Modern Work, and Security.

In addition, BUI is a Fortinet Select Partner, a Cisco Premier Integrator, a Palo Alto Networks Platinum Innovator, and an ISO27001-certified organisation.

BUI has offices in the United Kingdom (London, England), the United States (Irvine, California), South Africa (Cape Town, Durban and Johannesburg), and East Africa (Nairobi, Kenya).

BUI’s recent accolades include:

  • 2023 Microsoft Country Partner of the Year (South Africa)
  • 2022 Microsoft Azure Infrastructure Partner of the Year
  • 2022 Microsoft Modern Work Partner of the Year
  • 2022 Microsoft Security Partner of the Year

BUI website:

BUI on LinkedIn:

BUI on Facebook:

BUI on Twitter:

BUI on YouTube:

Editorial contacts

Alison Ekland
Global Marketing Manager, BUI
(087) 740 2400