How software companies can tackle regulations, localization, and residency

The first step should be understanding the kind of data you’re dealing with, specifically your data classification and flow. To determine what will be subject to regulations, consider how sensitive the data is, and the level of risk associated with it. Can it be freely accessed by the public? Or is it restricted to only your employees? Does it meet the local definition of data subject to regulation such as Personally Identifiable Information (PII)? For instance, Australia’s Privacy Act 1988 is the principal piece of legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.

Despite this, not all types of data fall under this umbrella, so it’s important to know the distinctions and focus on optimizing security accordingly, especially for high-risk data. Your software, hardware, and employees can all affect the flow of data, making it important to map out the different stages of its journey from data collection to processing and storage. Once you’ve organized data based on shared characteristics and understand its path from source to destination, you’ll be better set to protect it.

As you expand into new territories, you must follow different data protection laws, regulations, governmental policies, and contractual commitments. Multiple complex compliance considerations can feel like a barrier to progress, especially when innovating at speed. By methodically evaluating how to comply with various regulations, you can save your business from encountering unexpected issues later.

Some regulations, such as China’s Personal Information Protection Law (PIPL), contain prescriptive guidance such as passing a security assessment organized by the State cyberspace administration (under certain circumstances). Regulations in other regions, such as Brazil’s General Data Protection Law and the EU’s GDPR are less prescriptive. There’s no pass or fail for what constitutes compliance, so companies must define their own technical and organizational controls aligned the level of risk they’re comfortable with.

Rather than relying on guesswork or navigating the challenge alone, industry certified assessor teams like AWS Security Assurance Services can help you implement data protection best practices including specific controls to address regulatory requirements. With expert guidance, you can satisfy, maintain, and automate compliance in the cloud, building on frameworks such as HITRUST, NIST CSF, PCI DSS, and more.

Despite this, not all types of data fall under this umbrella, so it’s important to know the distinctions and focus on optimizing security accordingly, especially for high-risk data. Your software, hardware, and employees can all affect the flow of data, making it important to map out the different stages of its journey from data collection to processing and storage. Once you’ve organized data based on shared characteristics and understand its path from source to destination, you’ll be better set to protect it.

As the saying goes—location, location, location. This real estate cliché could also apply to data. Where you choose to run workloads can impact the value you can deliver to customers. Beyond meeting regulatory mandates on
how data is stored and processed, global data residency options enable you to offer better user experiences. You can deploy workloads in regions close to users so that Internet latency, packet loss, or poor connectivity have minimal impact on application performance. There are also contractual commitments and commercial incentives, such as tax benefits, that factor into the physical location of data.

A secure, extensive, and reliable global cloud infrastructure is a must-have for great user experience. AWS offers 34 geographic regions to help you deliver optimal customer experience wherever you want to expand. Each region contains three or more Availability Zones (AZs) for reliable access to AWS services—and new regions and AZs continue to be launched based on customer demand. AWS offers tools that allow you to deploy workloads across the globe in one quick step to bring specific applications closer to your end users.

If there isn’t an AWS region in your location, end users can still benefit from very low latency access to applications running locally via AWS Local Zones. By placing services such as compute, storage, and databases closer to your new target customers, Local Zones also help you satisfy data residency requirements in more locations.

With AWS you also have the option of running AWS services in your own data center with AWS Outposts. This offers benefits to industries like financial services, healthcare, and others, where on-premises or hybrid workload deployments can help meet performance, security, or compliance requirements. Outposts enable you to control where your data resides and easily adapt to regulatory changes, with low-friction movement between cloud and edge locations. Alternatively, AWS Wavelength gives you the option to use familiar AWS tools while keeping sensitive data within geographic boundaries, and AWS Direct Connect gets your data center directly connected to the AWS network. The benefit is that data stays protected in transit, never touching the public internet.

You’ve settled on a location, you know your data, the regulatory landscape, and best residency option. Now you need to implement the data controls to protect your most critical assets and meet data localization requirements. Consider the technical, operational, and contractual measures to keep data protected. Do you know the safeguards and processes that need to put in place to manage privacy? How is your data used? Who has access to it, and how it is encrypted?

Building a comprehensive approach to compliance can be challenging, and traditional assurance methods such as spreadsheets may not scale as your business grows. However, AWS offers a variety of services, tools, and resources to help you meet your compliance needs quickly and with confidence.

Ultimately, international expansion isn’t as simple as taking the same approach to data in a newly launched region. But with the right global infrastructure, services, and expertise, you can accelerate the process safely and start seeing the rewards.

If you’d like to learn more about managing data localization, residency, or sovereignty, and what it means for your business, please contact us. To jump start your expansion to new regions, check out AWS Global Passport and request a workshop.