Data balkanization: The key to balancing global privacy and data residency requirements

August 14, 2023

Ensuring and maintaining data privacy is on every organization’s priority list, whether the motivating factor is regulatory compliance, future preparedness, or consumer-led privacy demands. For most, the obvious time to act is now.

But with continued and constant changes in today’s globally- and regionally-enforced data privacy laws, success is a moving target.

The little-known key to mastering today’s data privacy balancing act is data balkanization.

What is data balkanization, and how does it lead to a more sophisticated privacy-compliant data strategy?

Data balkanization describes the fragmentation of countries, regulations, and ultimately of all the consumer data, enabling more control over where it can be collected, processed and stored. In a world where consumer trust can be easily broken but difficult to gain, ensuring data privacy must remain a dominant concern for global brands — no matter how often changing regulations force a pivot.

But we didn’t get here overnight. And many organizations are struggling to understand where we are now, overlooking how important it is to recognize how we got here in order to act effectively.

What’s changed — and what’s the current challenge?

There is a new set of risks related to data privacy —and in particular, data residency or data localization — that have become the dominant concern for risk-averse IT, data and chief privacy officers in 2023. Today, 75% of all countries have implemented some level of data localization rules, including geographical restrictions, permission-based regulations, and standards-based regulations. “For companies that have customers or employees in multiple countries, the regulatory requirements can be onerous and difficult to keep up with. Previously, ‘safe harbor’ laws or tokenization-based approaches helped companies address the issue, but recent regulatory changes have made both approaches less workable.”

Today, the imperative around data sovereignty is growing. Governments around the globe are embracing the idea that by having digitally stored information remain subject to the laws of their country, they can ensure that their laws protect and govern the data (and citizens) that matter to them. As a result, many countries now require companies that operate within its boundaries —including multinational brands that operate globally — to store data on their residents locally.

So, where does this leave us? Put simply, organizations that have traditionally excelled by thinking globally must also now think and strategize locally.

What makes mastering data privacy today so difficult?

In 2023, data sovereignty and industry compliance have factored heavily into discussions about the future of organizations’ IT architectures. In fact, only 4% feel confident that their IT organization will not be impacted by data sovereignty and compliance considerations. This leaves the vast majority of organizations at risk. And with regional data residency as a topic of growing importance, residency-as-a-service is becoming an important option. “Some countries are okay with exporting data as long as they keep a copy and there’s consent. Or they may trust data to flow to one country but not another. You have to take time and care to map all this out. Right now, countries are trying to get their hands around their own data, even if it’s at the expense of other countries. [Most often], the reason is national security, to protect their citizens’ personal data.”

Whatever the reason, companies must comply. The trouble is that a lack of clarity on all of these new rules is a problem, and most don’t know how to comply — or how to ensure that they’ll remain compliant tomorrow. Many organizations worry about ongoing compliance and legal costs, as well as ongoing technical costs required to manage each region individually. However, the risk of not trying is even higher.

  • The European Union and Russia have recently taken major regulatory actions to enforce their rules— for instance, the European Union fined Amazon $888 million for violating GDPR, and Russia banned foreign social-media companies. Regulatory bodies in China have moved against Chinese technology giants listed on global stock exchanges. In more extreme examples, countries are banning some services altogether. Austria’s Data Protection Authority, for example, has ruled against the use of Google Analytics because of concerns that EU personal data could be exposed as a result of conflicting US surveillance laws that violate GDPR.
  • Non-compliance can also mean limits on operations. As enforcement gets tougher, fines for noncompliance can be substantial. Jurisdictions also have the power to restrict corporate operations—for instance, by preventing companies from onboarding new customers. In July 2021, the Reserve Bank of India barred Mastercard from issuing new debit or credit cards to the country’s customers for violating a rule that foreign card networks must store Indian payment data only in India.

Understanding the risks, there are also factors to consider that can help determine the best path to success for your organization.

  • Consider the potential increased strain on technology, as it’s particularly hard in legacy environments to store sensitive information and deploy controls for them (especially in scenarios where technologists have moved on and poor documentation makes governance hard to implement). Note: this may also call for a need to invest in modern tools that streamline, rather than hinder, progress.
  • Recognize that ensuring compliance with localization requirements calls for more investment in different regions – along with clearly defined responsibilities and good coordination across many different entities, including privacy, data, technology, business units, and regulatory affairs. That can be hard to achieve, since they may well have conflicting priorities.

Despite increased complexity and varied requirements, that payoff can be huge for companies that figure out how to move seamlessly across geographies and scale these efforts. They’re poised to enjoy significant rewards—growth and increased market share—by complying with local requirements while offering a great customer experience and leveraging the power of their global data sets.

Plus, companies can boost their reputations and win new customers by positioning themselves as guardians of customer data and dependable sources of information about digital identity and data privacy. Today, some companies have even used their data policies to take on competitors directly, pointing out to customers that their privacy-laggard rivals haven’t implemented data safeguards comparable to their own.

Four steps to global and regional data privacy compliance done right

In the past, companies have often dealt with these regulatory shifts like GDPR as if they were isolated, one-off challenges. But when data localization requirements become more common and fragmented across geographies, companies need a process to address them systematically.

With this in mind, we have created a brief guide—applicable across industries—including a few clear steps:

1. Run a privacy gap analysis.

Evaluate current global consumer data infrastructure and operations, including the extent to which the company is able to use its current CDP and cloud partner as available “in region” to set up its own localized capabilities. Then, establish a blueprint for data residency with your CDP and cloud provider that can be scaled across regions based on localization requirements.

2. Ensure all your boxes are checked.

Your CDP should be your compliance tool for consumer data privacy, enabling: 

  • Consent management (having a single profile view of consumers that enables you centrally to capture and manage consent (opt in and opt-out) and provides a default consent filter for segmentation to support consumer compliant marketing programs)
  • Consent recognition (having the ability to recognize consumers in each channel and ensure that their consent state is complied with)
  • Data transparency (being open and clear around the data you are collecting and storing on your consumers and being able to respond to consumer data requests making profile data visible to consumers)
  • Data deletion (providing a central place to comply with consumer data deletion based on consumer request)
  • Data residency (being able to support data localization and data residency requirements country by country as data privacy rules continue to emerge, including the ability to separate data collection, data processing, storage and activation for each country with a single tenant CDP deployment in region)
  • Clean room (being able to support the set-up and configuration of a clean room for secure data access and permission-based sharing for analytics, insights and activation).

3. Plan — and budget accordingly.

Implement proper budgeting and planning, including the necessary support from global and regional IT and data teams.

4. Focus on control.

Identify specific security and privacy controls. Given the data types and the severity of the risks, these might include tokenization to protect personally identifiable information (PII) during the migration to a local infrastructure and field-level encryption for securing sensitive personal data.

We also recommend you undertake the actual data migration and set up the local infrastructure and operations securely with your CDP and cloud provider.

Lytics: The privacy and compliance tool for a new world

So, how are businesses today taking action? “Rather than using well-known technology stacks — popular combinations of technologies that are often used together — a focus on recombination, [or a composable approach], can give businesses more flexibility in dealing with privacy regulations like GDPR. For example, organizations may choose a purposeful mix of integrated technologies in order to reduce the number of interdependencies they need to consider.”

With our composable, privacy-centric CDP, Lytics is a consent-positive and privacy-first solution that scales for global organizations to comply with new data protection and localization rules. By developing a repeatable data localization approach with Lytics, a company can move efficiently from one geography to the next, thus lowering costs, while avoiding tying up management attention on regulatory issues by remaining compliant.

This article was originally published on Lytics website. Click here to see the original blog post.