How Can Multinational Companies Protect Consumer Data When Every Country Has Its Own Rulebook?

Multi-tenant architectures can help multinational brands remain compliant with different data sovereignty laws such as GDPR.

There’s no one-size-fits-all solution to data privacy. As digital transformation expands its reach around the globe, businesses and customers are less limited by their geography or physical borders. The power of the open web is its ability to connect people and spread information anywhere in the world. The importance of digital globalisation has never been greater than right now when people need to shop, work and learn through these digital means despite being in different locations. Yet, this universal digital transformation with the popularity of cloud technologies has also caused new challenges and complexities for organisations and governments that need to adhere to region-specific data and security requirements. 

As consumer data becomes an increasingly valuable resource for brands, governments have been enacting more data sovereignty and data privacy laws to regulate how citizens' data can be stored and processed between different countries. So, before we can understand the impact of these concepts, we need to understand the difference between them:

  • Data residency - is when an organisation requires their data to be stored in a specific geographical location (usually for regulatory or tax reasons). GDPR does not regulate data residency.
  • Data sovereignty - requires that data is subject to the laws and privacy regulations of the country where it is collected. For businesses that handle the data of European Union citizens, they must adhere to the rules laid out in the General Data Protection Regulation (GDPR) under data sovereignty.  


In 2018, the European Union passed the GDPR, digital privacy legislation meant to give consumers more control and visibility into how businesses store and use their personal data. In the past few years, other countries and regions have followed suit with their own data protection and privacy laws that held businesses accountable for getting an individual’s consent to gain their information. In Europe, organisations can be fined up to 4% of annual global turnover if they break the data sovereignty regulations in GDPR, regardless of where that data is processed.  

These restrictions can cause headaches for multinational companies that store their data in a number of different servers across multiple regions. As many companies embrace cloud services and technologies, they still need to follow specific geopolitical data and privacy policies, which can differ between countries. For example, in Germany telecom companies are subject to stricter data sovereignty and data localisation standards than other industries, while countries like France and others have enacted specific data residency and privacy laws for financial data. 

One approach to remaining compliant with data sovereignty laws while still operating as a global enterprise is multi-tenancy. A multi-tenant cloud architecture allows multiple customers to use the same platform or service while keeping all of their individual data as entirely separate entities. With a multi-tenant platform, individual teams and business units can have their own account within the platform to store, process and use their data without interference. Administrators assigned to a specific tenant or cluster of tenants may also develop specific configurations tailored to the unique business needs of those customers or regions. 

Brands that operate as a global company (multi-governing bodies) will often have multiple tenants, for example, a EU-based tenant and a U.S.-based tenant, with customer data stored respectively. Each tenant within a multi-tenant data solution has the ability to support data for a core region while maintaining global governance and security. For global enterprises, managing multiple presences across different geographies with varying levels of data regulations, a customer data platform with a multi-tenant architecture keeps each region or brand’s data isolated from other tenants, while still providing a persistent customer database and master profile for all customers.

As a cloud-native company, Acquia’s Customer Data Platform (CDP) has built its architecture to be a multi-tenant solution with overarching capabilities. Each tenant, including both Europe and North America. Acquia CDP configures each major region differently depending on the specific needs of those areas and can support different products, categories and campaigns per tenant. This ensures that data sovereignty is maintained by locating the tenant within the required region and only ingesting data into the tenant where legally allowed. While this provides a total 360-degree view per region, it may require one more layer to provide a true global view. In these cases, the CDP offers an optional Global Reporting Tenant in the appropriate regulatory region. This Global Reporting Tenant is most often based on the strictest guidelines (in this case the EU). This feature allows executives to have a unified view across their entire data platform, while allowing the local teams to operate in their region.

Diagram of the multi-tenant system architecture for a global organization managing multiple brands in the United States and the European Union. 

You can never know exactly what changes will come, but our open, flexible architecture allows customers to add additional tenants as acquisitions, regional expansions or other market forces require. With a CDP that can centrally manage everything with multi-tenancy, brands can remain agile and secure as they grow their reach and serve customers around the globe. As data regulations change, a multi-tenant approach allows you to be future-ready.

Featured Resources

View More Resources