By Guanfu Haffke, Director of Innovation and Strategy at Odaseva, and Vincent Delamarre, Chief Growth Officer & Co-Founder of Odaseva

China’s new data law goes into effect today, regulating how personal information is used and processed. This regulation, named the Personal Information Protection Law (PIPL), is part of a growing trend of data residency laws implemented by countries around the world. 

Companies that run on SaaS platforms including Salesforce are responsible for complying with these laws, otherwise they face stiff penalties or must cease operations in regulated countries. 

However there is a path forward. You can do business in China and other regulated markets while meeting compliance requirements. Read on for more information about the data residency challenges your business may face and recommendations for how you can run an international business on Salesforce while complying with them.

Data residency regulations are the new normal

International businesses have been running on SaaS and cloud platforms like Salesforce for years, allowing flexibility and scalability needed to respond to fast-moving shifts in global markets.

Meanwhile, governments are regulating data to protect their citizens. 

This creates a business challenge that can’t be ignored.

Governmental data regulations have existed for decades, extending back to Sweden’s first privacy law in 1973. Other well-known regulations include HIPAA and CCPA in the United States, GDPR in Europe, and more than a dozen similar laws in nations from Qatar to Uruguay.  

China’s new data regulations in 2021: DSL and PIPL

China recently raised the bar for data regulations with two new massive laws. China’s Data Security Law went into effect on September 1, 2021 and applies to a spectrum of data and data activities including data collection, storage, processing, usage, transmission, and more. The law classifies and protects data based on level of importance, with the strictest levels of protection targeting data deemed vital to China’s national interests. Penalties include fines topping $1 million, loss of business licenses, and demands to close businesses.

The second law took effect November 1, 2021. The Personal Information Protection Law (PIPL) aims to protect the rights and interests of Chinese consumers and regulate how personal information is used and processed.

More data laws are coming in countries like Brazil and India. These laws represent a sea change for international companies, especially those that rely on SaaS platforms like Salesforce to support critical operations.  

Data regulations’ impact on businesses running on Salesforce

Salesforce stores and processes data in data centers throughout the world, flexing infrastructure up and down to meet the needs of their customers. They also embrace what’s known as “the shared responsibility model.” That means that Salesforce takes responsibility for uptime and platform security, stability, and availability, while customers are responsible for protecting and managing their Salesforce data.

When confronted with massive new regulations like what we’re seeing in China, these circumstances create a perfect storm. Data regulations target the businesses who use Salesforce, not the platform itself.  

Companies that rely on Salesforce can do business in China and other regulated markets. Here are our recommendations:

Consider augmenting your Salesforce implementation with Residency-as-a-Service

Odaseva offers Residency-as-a-Service that is designed and built to solve data residency problems without creating a major disruption to business operations. It enables you to preserve your global operating model without risking non-compliance.

Educate yourself about the requirements for compliance

There is no one-size-fits-all approach to data compliance. Data regulations share many similarities across the various nations that have them, but they are not all the same. To craft the strongest compliance strategy, it is important to have a basic command over the different requirements and tailor your solution accordingly. Some countries, for example, require that the primary copy of customer data stays within the country’s borders and other copies can be stored elsewhere. 

Data classification and an agile approach to compliance are essential

In China, different regulations apply to different types of data. For example, data labeled as important to “Critical Information Infrastructure”—meaning it impacts important systems such as energy, transportation, and finance—is required to stay in China. To accomplish this, you must have the capability to understand, map, and classify your data.

These regulations and their interpretations keep evolving, so you must adopt an agile approach that allows you to revisit your choices and update your implementation along the way.

Meeting challenges such as these isn’t easy. But there is a path forward. Odaseva is deeply invested in solving the problem of data regulation. If you need support, you’ll find it with us. Get in touch for a personalized demo today.