Technology Portfolio Management (TPM) Best Practices

Overview

Organizations that operate across multiple countries or that use cloud technologies deployed in multiple geographic regions face data residency and data sovereignty requirements that are specific to the jurisdictions in which their data is processed and stored. EU GDPR imposes specific restrictions on the transfer of personal data to countries outside the EU unless adequate data protection safeguards are in place. Several jurisdictions impose data localization requirements that prohibit certain categories of data from being processed or stored outside their borders. And the geographic regions in which cloud services are deployed determine which jurisdiction’s laws apply to the data those services process, with consequential implications for the organization’s data protection obligations.

Best Practice

For every technology in the Technologies Inventory family that processes, stores, or transmits data — which includes most software technologies, cloud services, and hardware technologies in the data center and storage categories — maintain a data residency profile that documents: the geographic regions in which the technology processes or stores data; the categories of data the technology handles, including any regulated categories such as personal data, health data, financial data, or government-classified data; the data residency requirements applicable to the data categories handled, by jurisdiction; and the current compliance status of the technology’s geographic deployment against those requirements. Review and update data residency profiles whenever the organization expands to new jurisdictions, whenever it deploys technologies in new geographic regions, whenever the regulatory requirements applicable to any data category change, and whenever a cloud service provider changes the geographic availability or data residency guarantees of a service the organization uses.

Benefit(s)

Maintaining current data residency profiles for all data-handling technologies gives the organization the visibility needed to demonstrate compliance with data residency and data sovereignty requirements that regulators in multiple jurisdictions are increasingly scrutinizing. Technology deployment decisions that would create data residency compliance failures are identified before deployment rather than after they have created regulatory exposure. And when regulatory requirements change — as they do regularly in data protection law — the impact on the technology portfolio is assessable against the data residency profiles rather than requiring a fresh inventory of which technologies handle which data categories in which geographic regions.