Data residency refers to the physical or geographic location of an organization's data or information. Similar to data sovereignty, data residency also refers to the legal or regulatory requirements imposed on data based on the country or region in which it resides.
Cloud computing, which allows businesses to deliver hosted services over the Internet, can create data residency concerns. With cloud computing, users are often unaware of their data's physical location, as cloud providers store data globally across different data center locations. Therefore, users need to be aware of their data's local residency laws and regulations. To do this, users need to know where their cloud provider's data centers are located across the globe and research the different data residency policies for each respective location. Additionally, cloud users should try to ensure their service-level agreements (SLAs) with cloud providers establish where their data can and cannot be stored.
There are many government policies and regulations that deal specifically with data privacy and residency issues. The Health Insurance Portability and Accountability Act (HIPAA) is a data privacy and security law designed to protect medical information. Payment Card Industry Data Security Standard (PCI DSS) is a set of policies to secure credit and debit cardholder information. Outside of the United States, data residency and privacy regulations include Germany's Federal Data Protection Act and the United Kingdom's Data Protection Act.
To protect data from unwanted access regardless of its geographic location, organizations can use cloud data encryption tools. Cloud encryption services transform user data into ciphertext before it's stored in the cloud. Cloud encryption service vendors include CipherCloud, Vormetric and Perspecsys, among others.
In April 2015, the Object Management Group (OMG) created the Data Residency Working Group to study data residency issues, including how to control and document data within cloud computing environments.