From Europe, With Love
Data ResidencyCompliance

Data residency: what matters, what doesn't

Data residency is a hot topic but not everything about it is equally important. Here's what to actually focus on.

2 min readLire en francais

TL;DR

Data residency matters most for personal data and regulated information. For general business data, location is less critical than access controls. Focus on the data categories that carry real regulatory risk.

Key Takeaways

  • Not all data needs the same residency protection — prioritize personal data and regulated information.
  • Storage location is necessary but not sufficient — also check who has access and under what legal framework.
  • Backups and disaster recovery often break residency promises — ask specifically about backup locations.
  • Sub-processors can create residency gaps even when the primary vendor is clean.
  • Practical approach: classify your data, then match residency requirements to risk level.

The data residency spectrum

Data residency has become a checkbox item in enterprise procurement. But treating all data the same way leads to either over-engineering (spending too much to protect low-risk data) or under-engineering (missing the data that actually matters).

What matters most

Personal data (GDPR Article 4)

Any information relating to an identified or identifiable person. This is the data GDPR is designed to protect, and where residency decisions carry the most regulatory weight.

Examples: Customer names, email addresses, phone numbers, IP addresses, behavioral data tied to individuals.

Regulated industry data

Financial records, health data, legal documents, and government information often have specific residency requirements beyond GDPR.

Examples: Payment card data (PCI DSS), patient health records (varies by country), classified government information.

Trade secrets and competitive intelligence

Not regulated in the same way, but the consequences of unauthorized access can be severe.

What matters less

General business data

Internal project plans, marketing drafts, team schedules, and similar operational data. While you want it secure, the residency location is less critical than access controls.

Public information

Product documentation, marketing materials, and publicly available content. Residency adds cost without meaningful risk reduction.

The hidden residency gaps

Even when your primary vendor stores data in the EU, watch for these common gaps:

  1. Backups — Where are disaster recovery copies stored? Many vendors use US-based backup services.
  2. Search and indexing — Some tools process data in a central location for search functionality, regardless of where the primary data lives.
  3. Support access — When you file a support ticket, can engineers outside the EU access your data to troubleshoot?
  4. Sub-processors — Your vendor may use third parties for email delivery, analytics, or error tracking that process data outside the EU.

A practical classification approach

| Data Category | Residency Priority | Action |
|---|---|---|
| Customer PII | High | EU-hosted, EU-owned vendor preferred |
| Employee HR data | High | EU-hosted, strong DPA |
| Financial records | High | EU-hosted, check sector regulations |
| Product analytics | Medium | EU-hosted preferred, anonymize where possible |
| Internal docs | Low | Focus on access controls, not location |
| Marketing content | Low | No residency concern |

The goal is proportional protection: high scrutiny for high-risk data, pragmatic decisions for everything else.

Frequently Asked Questions

Does GDPR require data to stay in the EU?
GDPR doesn't prohibit transfers outside the EU, but it requires adequate protection for transferred data (via adequacy decisions, SCCs, or BCRs). Keeping data in the EU simplifies compliance but isn't strictly required.
What is a sub-processor and why does it matter for residency?
A sub-processor is a third-party service that your vendor uses to process your data. Even if your vendor stores data in the EU, a sub-processor might process it elsewhere, creating a residency gap.
How do I audit my current data residency situation?
Ask each vendor for their data processing agreement, sub-processor list, and data flow diagram. Compare the actual data locations with your residency requirements. Focus on your top 10 most data-intensive tools.
Is data residency enough for compliance?
No. Residency is one component. You also need proper access controls, encryption, data processing agreements, and incident response procedures.

Related Posts

📝
SovereigntyCompliance

EU-hosted vs EU-owned: how to think about risk

A tool hosted in the EU isn't the same as a tool owned by an EU company. Here's why the distinction matters and how to assess your real risk.

5 min read

Help us map the European stack.

Submit a tool or suggest an edit. We review every entry.

Submit a toolContact