Canadian data residency: Helping companies keep their data in Canada

    February 11, 2019
    Where is your data?  

    It’s a simple question, but the answer gets a little more complicated and a lot more important as organisations migrate to the cloud.  

    Cloud adopters gain scalability and cost-savings, but they must also consider data sovereignty. Especially for global organisations, understanding that your data is subject to the rules and laws of the country in which it resides can help you avoid unnecessary legal and compliance headaches.  

    While this is true of any region, Canada has a number of laws and attitudes that make it wise for Canadian organisations to keep data within their own borders. Whether it’s a legal obligation, a compliance obligation or simply perception, Canadian data residency can benefit you in more ways than one.  

    The role of regulatory requirements and legislation 

    The Personal Information Protection and Electronic Documents Act (PIPEDA) is legislation that oversees how private organisations collect, use or disclose personally identifiable information (PII) as it pertains to commercial activities.  

    PIPEDA doesn’t actually require companies to keep their data within Canada. However, it does hold organisations accountable for the information they collect and requires them to provide the same level of protection for that personal information even when it’s in transit and or being processed. Keeping the data within Canadian borders, and in known locations, can help with that.  

    Outside of PIPEDA, other compliance and regulatory requirements put forth by local provinces often impose their own set of restrictions on transferring personal information. For instance, British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies to store and access personal information in Canada, except for some circumstances. Meanwhile, per the Ontario Personal Health Information Protection Act (PHIPA), individuals must consent to the collection, use or distribution of their personal health information.  

    Maintaining Canadian data residency is the most effective way to adhere to these privacy laws and requirements. 

    Compliance obligations 

    In a similar vein, individual industries often must comply with certain laws and regulations of the different provinces. For example, each Canadian province has jurisdiction over lottery and gambling. As you can imagine, this comes with its own set of complications and challenges – something Inspired Gaming experienced firsthand.  

    Inspired Gaming, an online gaming, gambling and sports betting company that operates in several countries, was preparing to set up shop in the Canadian market. Historically, the company entered a new market by “buying kit.”  

    Inspired Gaming would buy hardware, setup colocation, and either operate remotely or hire staff to look after it. For its first foray into Canada, however, Inspired Gaming contacted Sungard Availability Services (Sungard AS). We took a look at what they were trying to do and suggested hosted private cloud (HPC) might be a more practical option. Aside from the financial benefits, switching to HPC would offer Inspired Gaming considerable technical advantages, including a reduced requirement for “in-country” staff, as well as the ability to flex the contract and capacity based on the demand generated by its business. 

    In addition, HPC would help Inspired Gaming comply with Canada’s provincial laws because of its ability to audit and certify for data residency in a particular geography. With HPC, Inspired Gaming would know not only what datacentre it was in, but also what blade on what rack (something hyperscale clouds can’t offer). That makes data residency requirements a lot simpler to manage.  

    How to know exactly where your data is 

    For Canadian companies, whether it’s fear of what might happen to their data beyond their borders or legal requirements, the solution for adhering to government regulations and maintaining compliance is simple -- continue to store your data in country.   

    Migrating to the cloud is advantageous to your business, but don’t forget the rules and regulations that dictate how your organisation can collect, handle and use data. HPC lets you see exactly where any data is stored.  

    No matter the goal or challenge, we’re ready to help you host, manage and maintain your data. Our Canadian data centres are ready for you.

    Other Posts You Might Be Interested In

    We Can Help You Get GDPR-Ready

    By Sungard AS The framework outlined by the EU General Data Protection Regulation (GDPR) is admirably designed to facilitate digital transactions, promote...

    Get set for GDPR

    By Sungard AS With the directive coming into force on 25 May next year, organisations need to prepare now if they are not to be in breach of the regulations. In just...

    GDPR overview: Everything you need to know for compliance

    By Herb Schreib, Sungard AS Security Consulting Practice Director PCI, HIPAA, SOX, GLBA. The alphabet soup of government regulations and compliance standards is...