Veracode’s John Smith on how businesses should approach their data residency strategies


Location, location, location – it’s the new focus of data privacy legislation. While, in the past, it was simply common practice that data would be held on U.S. servers, since the advent of GDPR this has shifted, and organisations operating in the EU are now required to hold this data within the region. And that’s not as simple as it may seem… The landmark case known as Schrems II means that there is now a legal mandate that businesses hold data in the EU. Therefore, now is the time for organisations to rethink their data’s location. With approximately 75% of organisations indicating that half or more of their data processors are based in the U.S. or non-EU territories, this legislation impacts the vast majority of organisations. The impact of Schrems II Schrems II has a long and complex history but, suffice to say, the end result was that in July 2020, the European Commission ruled that the private data of EU citizens should stay within the borders of the EU and could no longer travel across the Atlantic to be stored in the U.S.. The ruling has had a massive impact on any global organisation doing business with EU citizens, most obviously online retailers and data processors. But it has also had a big effect on anyone developing software because applications that contain and store data, or the information of users and customers that are EU residents, must abide by the ruling.

This means the personal data of any European citizens used by applications must be stored securely in servers physically located within the EU or another nation that has been granted ‘trusted status’, meaning that it is deemed to have an adequate level of data protection. The topic of data residency is one that is incredibly critical to many organisations across the region, and particularly those that hold highly sensitive data, such as financial services. We’ve seen increasing demand from organisations that want the ability to hold their data within the EU – largely as a result of Schrems II. This has led many organisations to review their current strategies, make strategic investments, and look for partners and suppliers that can support them in meeting this objective. In fact, data security spending globally is expected to grow by 17.5% this year, according to Gartner. Naturally, there is a knock-on effect on application security activity, where an application might be shared outside of the EU for testing and scanning. Securing applications at scale is costly and difficult when you consider the added pressures of compliance with EU data residency regulations. The solution - achieving data residency So, what is the solution? Well, there are currently a few different options for managing compliance in this new landscape. Yet, the situation is still evolving, so we might see further options arise as new policies are decided, or if a replacement for the now defunct Privacy Shield is created.

John Smith

As it stands, by far the safest bet is to ensure that all aspects of any of your applications containing the private data of EU citizens are hosted in data centres physically located within the EU. On-premise products are costly to scale to meet the demand for large amounts of testing, so using cloud-native application security tools delivered through a software-as-a-service model with an EU resident option is a sure-fire solution. You need to be confident that all your application data, including all instances of your software, as well as copies used for scanning and testing by third parties, is stored within the EU at a facility that is experienced in data compliance. There are many benefits to using a data centre specifically built to provide software security testing with EU data residency. It enables EU customers to continue delivering secure software quickly and easily. It also allows all the elements of an effective software security programme to work at once, including integration into the CI/CD pipeline to identify security issues early in the development process, as well as a pre-release compliance check to provide a policy compliance artefact to customers. The opportunity ahead Getting your data compliance approach right upfront is key, but it shouldn’t be a barrier to speed or success. Instead, think of it as an opportunity to review your current strategy and use it as a competitive advantage with key customers in industries that are particularly sensitive to the physical location of their data. With the stakes so high, and the added potential of new business opportunities as a result of additional investment into the European market, addressing regulatory and organisational data residency requirements is an important undertaking. Introducing a unique software-as-a-service offering can add an extra level of assurance that your application hosting will not expose you to compliance issues further down the line. Not only will you be safe against potential regulatory fines, but you can maintain the confidence of customers who trust your applications to safeguard their data.


image
image