For years, the typical global company built a competitive advantage by taking the same approach across geographies in operating models, IT systems, and data. But this strategy of winning through scale is under stress as countries and regions across the globe develop and enforce a plethora of overlapping (and in some cases confusing) regulations on data privacy, protection, and localization.
These rules are forcing companies to pivot from their traditional uniform approach to data management: organizations that excelled by thinking globally must now think locally. That drives up their regional compliance costs because they have to invest time, energy, and management attention to understand the unique aspects of each regulatory jurisdiction where they operate. It’s not an easy lift, but companies that figure out how to move seamlessly across geographies will enjoy significant rewards—growth and increased market share—by complying with local requirements while at the same time offering a great customer experience and leveraging the power of their global data sets.
Variations in localization requirements
Today, 75 percent of all countries have implemented some level of data localization rules. These have major implications for the IT footprints, data governance, and data architectures of companies, as well as their interactions with local regulators. Localization rules are generally intended to prevent cybercrimes (such as identify theft), to promote local economies (for instance, by creating jobs), and, perhaps most significantly, to address rising concerns about privacy. That is often the most contentious issue, and different jurisdictions are reaching different conclusions about how to balance it against the desire of companies to leverage data for their own commercial interest.
By understanding the motives of regulators, companies can handle the requirements more successfully. Rather than focusing exclusively on complying with rules, they can address the underlying reasons for them.
Current and emerging regulations fall into four broad categories:
- Geographic restrictions on data export require data to be stored and processed within a given country or region. Companies must therefore create a separate infrastructure, computing capabilities, and teams for each of them. In Europe, for example, Schrems II regulations limit third-country personal data transfers without appropriate protection levels. Companies must therefore build a regional infrastructure and are less able to serve customers across geographies. In the Middle East, for example, localization rules are forcing companies to build IT architectures in specific countries. Meanwhile, global companies in China are building IT architectures that ring-fence their Chinese businesses to ensure that they use their data in line with the country’s legal requirements.
- Geographical restrictions allow data to be copied outside the country of origin for processing but require a replica in the local infrastructure. These rules (in Indonesia and Malaysia, for example) are often intended to develop local economies.
- Permission-based regulations require institutions to get consent from specific individuals to transmit data. Brazil and Argentina require banks in particular to get their customers’ explicit permission.
- Standards-based regulations allow institutions to move data more freely outside the originating jurisdiction but require them to ensure the security and privacy of their customers’ data.
The complexity of localization
For the past several decades, globalization has encouraged the convergence of standards and lowered trade barriers. Data localization works in the opposite direction by requiring increasingly local approaches. It erodes efficiency because institutions must retain more people and technology in a given market and degrades their ability to provide seamless, consistent services across countries. It also increases the level of compliance risk. In some countries, data localization requirements can even make a market economically unattractive, prompting institutions to exit, limiting their global footprint, and depriving that market of their services.
These complexities manifest themselves in a number of ways:
Varied localization requirements. Many such regulations are at the national level, which makes them highly variable and, in some cases, contradictory (exhibit). Multiple jurisdictions may govern the same data set, and it may be impossible for companies to comply with all of the regulations. One prime example: the US anti–money laundering protocols, which must be applied globally, though in many countries data location regulations hinder the exchange of information.
A mixture of regulatory standards and interpretations. Some regulations are based on principles, others on rules. Vague wording can make it difficult to predict what is and isn’t allowed. Some executives say that the rules are applied inconsistently: regulators give different answers to different institutions. Since the rules evolve rapidly, companies must be able to update their approaches frequently—which is particularly difficult, since technology decisions often involve multidecade time horizons. The European Union’s General Data Protection Regulation (GDPR), for example, lays out technical standards and requirements for handling personal information gathered in its member states. Yet companies are still learning to translate these regulations into specific internal guidelines for technology decisions.
Varying standards for technical systems. Regulations such as the GDPR, the China Cybersecurity Law, and the Russian data law all outline standards for systems that handle the personal data of citizens. GDPR creates de facto localization requirements not explicit in the law by strictly regulating data transfers to “unsafe” geographies. India mandates the physical presence of data (or copies) within the country. China and Russia impose additional technical-localization requirements (for instance, reviews of source code and restrictions on cryptography), which may place intellectual property, systems, and assets at risk.
Difficulties defending against cyberthreats. Localization requirements are reversing the trend toward centralized security models. The more decentralized models divide management attention and the allocation of resources. The resulting vulnerabilities include data exfiltration and problems with infrastructure, encryption, and the integrity of source code.
An increased strain on technology. Many institutions have difficulty identifying all systems that store sensitive information and deploying controls for them. This is particularly hard in legacy environments where the original technologists have moved on and poor documentation makes governance hard to implement.
Operating models. Ensuring compliance with localization requirements calls for more investment (including hiring local expertise) in different regions. It also requires clearly defined responsibilities and good coordination across many different entities, including privacy, data, technology, business units, and regulatory affairs. That can be hard to achieve, since they may well have conflicting priorities.
Scrutiny spreading beyond personal data into commercial data. Some legislation, for instance the China Cybersecurity Law, identifies critical sectors where business information may not be transferred abroad without permission from the government. These sectors include telecommunications, energy, financial services, government, and critical infrastructure.
Enforcement as a priority and significant fines. The European Union and Russia have recently taken major regulatory actions to enforce their rules— for instance, the European Union fined Amazon $888 million for violating GDPR, and Russia banned foreign social-media companies. Regulatory bodies in China have moved against Chinese technology giants listed on global stock exchanges. In more extreme examples, countries are banning some services altogether. Austria’s Data Protection Authority, for example, has ruled against the use of Google Analytics because of concerns that EU personal data could be exposed as a result of conflicting US surveillance laws that violate GDPR.
The competitive opportunities
Data-handling and localization regulations are constantly changing, so companies must continually reassess them. Nonetheless, we think organizations that tackle the challenge will enjoy significant benefits.
For one thing, data localization has the advantage of reducing risk. As enforcement gets tougher, fines for noncompliance can be substantial. Jurisdictions also have the power to restrict corporate operations—for instance, by preventing companies from onboarding new customers. In July 2021, the Reserve Bank of India barred Mastercard from issuing new debit or credit cards to the country’s customers for violating a rule that foreign card networks must store Indian payment data “only in India.”
It’s not just regulators that take data privacy rules seriously. Consumers too have increasingly high expectations for how their data are used and transmitted. Digital trust is a serious concern for them. But while the advantages of reducing risk are real, they are a defensive play. More compelling are the upside benefits of getting localization right. Companies that address these issues have a significant competitive advantage in several key areas:
An optimized customer experience. Companies can, for example, offer customers a personalized experience wherever they travel, innovate more rapidly by using larger and more diverse data sets, and move rapidly into new geographies feeling confident about their ability to adapt their approach as required.
Lower compliance costs. By developing a repeatable data localization approach, a company can move efficiently from one geography to the next, thus lowering costs. Staying in compliance also avoids tying up management attention on regulatory issues.
Positioning and reputational advantage. Companies can boost their reputations and win new customers by positioning themselves as guardians of customer data and dependable sources of information about digital identity and data privacy. Some companies have even used their data policies to take on competitors directly, pointing out to customers that their rivals haven’t implemented data safeguards comparable to their own.
Support M&A valuations. Another powerful benefit of managing data regulation well lies in the realm of mergers and acquisitions. An acquirer needs to know if a target’s data capabilities will be an asset or a liability. If the target can show a potential suitor a clean track record of data security and privacy compliance, it will deserve and receive a better valuation.
A playbook for data localization
In the past, companies have often dealt with these regulatory shifts as if they were isolated, one-off challenges. But when data localization requirements become more common and fragmented across geographies, companies need a process to address them systematically. With this in mind, we have created a playbook—applicable across industries—including a few clear steps:
- Conduct a full-scale assessment of the underlying regulatory demands to understand the exact requirements and to reach alignment on the necessary actions.
- Review the potential market opportunity in a particular region or country to determine if it warrants its own IT and data infrastructure.
- Define a target state for a possible regional IT and data infrastructure and operations, including the extent to which the company will use local providers or set up its own localized capabilities.
- Implement proper budgeting and planning, including the necessary support from global and regional IT and data teams.
- Identify specific security and privacy controls. Given the data types and the severity of the risks, these might include tokenization to protect personally identifiable information (PII) during the migration to a local infrastructure and field-level encryption for securing sensitive personal data.
- Undertake the actual data migration and set up the local infrastructure and operations securely.
By following these steps, a company can define the right response while also deciding whether the effort is actually warranted. Companies should bear in mind that many aspects of localization can be handled locally—for instance, searching for local providers, setting up replicated systems, and interacting with regulators. However, to ensure that data are transferred properly and securely to the head office, it’s necessary to get appropriate legal counsel. Internal architectural and IT security alignment on key technical components, such as the scope of any existing or planned data lake and data warehouse projects, must also be secured.
Around the world, we see a plethora of new data localization regulations. Although they have a variety of rationales, the IT and data landscape challenges are often very similar. Companies agile enough to manage this regulatory shift could enjoy considerable competitive advantages.