How Can Multinational Companies Protect Consumer Data When Every Country Has Its Own Rulebook?

As customer data becomes increasingly valuable to brands, governments have enacted more data sovereignty and privacy laws to regulate how citizens' information can be stored and processed between different countries. In other words, the regulations shaping data sovereignty and privacy dictate not only how personal data is stored but also where. We see this with data sovereignty, which requires data to be subject to the laws and privacy regulations of the country where it’s collected.

The shifting landscape means multinational companies face complex rules further complicated by a lack of uniformity from one country to the next. So how might global brands ensure that they satisfy the requirements that nations impose around consumer data?

The impact of GDPR and Brexit on data sovereignty

In 2018, when the EU passed the GDPR ruling, the digital privacy legislation sought to give consumers more control and visibility into how businesses store and use their personal data. Since then, other countries and regions have followed suit with their own data protection and privacy laws that hold businesses accountable. Some nations now require organizations to obtain individuals’ consent before capturing their information. In Europe, organizations can be fined up to 4% of their annual global turnover if they break GDPR stipulations, regardless of where that data is processed.  

These restrictions can cause headaches for multinational companies that store their data in a number of different servers across many regions. As businesses embrace cloud services and technologies, they still need to follow specific geopolitical data and privacy policies, which can differ between countries. For example, in Germany, telecom companies are subject to stricter data sovereignty and data localization standards than other industries, while countries like France have enacted specific data residency and privacy laws for financial data.

Brexit has also added new considerations for businesses and government bodies. Personal data of U.K. residents and citizens might need to be stored locally, and while there’s no specific law compelling companies to host their servers in the UK, they can mitigate risk and ensure compliance by working with providers with data centers found locally. Acquia, for instance, uses a data center in London to provide in-country hosting services and has data centers in Ireland, Germany, Singapore, Australia, Japan, and China. So, in an uncertain regulatory environment, businesses can find peace of mind by working with providers with regional data centers that have high availability and multi-region failover capabilities. 

A multi-tenant solution for complying with data sovereignty laws

One approach to remaining compliant with data sovereignty laws while still operating as a global enterprise is multi-tenancy. A multi-tenant cloud architecture allows various customers to use the same platform or service while keeping all their individual data as entirely separate entities. With a multi-tenant platform, individual teams and business units can have their own account within the platform to store, process, and use their data without interference. Administrators assigned to a specific tenant or cluster of tenants may also develop configurations tailored to the unique business needs of those customers or regions. 

Brands that operate as a global company (or multi-governing bodies) will often have multiple tenants — for example, an EU-based tenant and a US-based tenant — with customer data stored respectively. Each tenant within a multi-tenant data solution can support data for a core region while maintaining worldwide governance and security. For global enterprises managing multiple presences across different geographies with varying levels of data regulations, a customer data platform (CDP) with a multi-tenant architecture keeps each region or brand’s data isolated from other tenants, while still providing a consistent customer database and master profile for all customers.

Image

Diagram of the multi-tenant system architecture for a global organization managing multiple brands in the United States and European Union. 

As a cloud-native company, Acquia’s customer data platform (CDP) features a multi-tenant architecture solution with overarching capabilities. Each tenant — whether they’re in Europe or North America (or both) — has the ability to support data for a core region. Acquia CDP configures each major region differently depending on the needs of those areas and can support different products, categories, and campaigns per tenant. This capability maintains data sovereignty by locating the tenant within the required region and only ingesting data into the tenant where legally allowed.

While the solution provides a 360° view per region, it may require one more layer to provide a true global view. In these cases, the CDP offers an optional Global Reporting Tenant in the appropriate regulatory region. This Global Reporting Tenant is most often based on the strictest guidelines (in this example, the EU). This feature gives executives a unified view across their entire data platform while allowing local teams to operate in their region. 

You never know when changes will occur, but our open, flexible architecture allows customers to add additional tenants as acquisitions, regional expansions, or market forces require. With a CDP that can centrally manage everything with multi-tenancy, brands remain agile and secure as they grow their reach and serve customers around the globe. As data regulations change, a multi-tenant approach allows you to be future-ready.

If your organization is grappling with data sovereignty, data residency, or multi-tenancy issues, reach out to talk through our solutions. And read more about our in-country hosting for organizations in the UK here.