REPORT

Beyond the General Data

Protection Regulation (GDPR):
Data residency insights from around the world
 Table of Contents

3 Introduction

5 #1 Data in a Turbulent World

8 #2 Data Protection as Competitive Advantage

10 #3 GDPR: Awareness, Preparation and Response

14 #4 Where is My Data? Data storage, location and migration

16 #5 Country-specific Regulations: Understanding and impact

18 Summary

19 Appendix: Methodology and survey demographics

2 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Introduction

As every business decision-maker should now know, the E.U. General Data Protection
Regulation (GDPR) enforcement date is coming. The GDPR will be enforced starting May
2018 and will apply to those collecting, storing or using the personal data of the residents
of the European Union’s 28 member states. The Regulation changes requirements around
protecting the personally identifiable information of over 500 million people, and occupies
the minds of anyone around the world concerned with data protection.

The GDPR is not the only regulation affecting global ■■ The degree to which organizations are aware of, and
business, of course, nor is it the only issue that concerns prepared for, GDPR
those charged with storing, processing, managing and ■■ The driving factors behind data residency decisions
protecting one of the world’s most valuable assets: data. ■■ The impact of 11 country- and sector-specific
regulations
To better understand data decision-making, McAfee®
commissioned Vanson Bourne to survey the views of
From the dozens of fascinating findings that follow, here
800 senior business professionals across eight countries
are just nine:
around the world from a range of industry sectors.
1. Global events affect data migration plans
The following pages will shed light on how the
Nearly half of organizations plan to or say they will
respondent organizations currently approach data
migrate data as a result of political changes, including
management, protection and residency (the physical
GDPR, Brexit and changing policy approaches in the
location where data is stored). This report also explores
U.S. (See Section #1)
the impact of global events such as:
Organizations will spend $85,000 less on average
■■ Geopolitical changes in several regions, and their in the United States because of U.S. government
impact on data policies. (See Section #1)
■■ The role of data protection as a competitive advantage

3 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

2. Privacy sells: Data protection delivers achieve data protection compliance. Some might be
commercial advantage overestimating the degree to which cloud providers
Seventy-four percent of respondents believe are accountable. (See Section #3)
organizations that properly apply data protection
laws will attract new customers. (See Section #2) 7. Most organizations are ‘unsure’ where their
data is stored
3. Public opinion is key to data decision-making Forty-seven percent of respondent organizations
Eighty-three percent of organizations take public say they know where their data is stored at all times.
sentiment toward data privacy into account when That means the majority are unsure, at least some of
making data residency decisions. (See Section #2) the time. (See Section #4)

4. GDPR will make Europe the world’s data 8. The United States is the most popular data
leader storage destination
Seventy percent believe the implementation of GDPR Forty-eight percent of organizations in our survey
makes Europe a world leader in data protection. (See expressed a preference for their data storage to
Section #2) be in the U.S., followed by Germany (35 percent),
the U.K. (33 percent) and France (25 percent). (See
Section #4)
5. Organizations take 11 days on average to
report a breach
GDPR requires that the local regulator is alerted 9. Only 2% of bosses say they know the
within 72 hours of a data breach or be given reasons full extent of the laws that apply to their
for the delay. Currently, it takes nearly four times as organizations
long – 11 days on average to report a breach. (See The majority of respondents (54–74 percent) believe
Section #3) their organization has a “complete understanding” of
the data protection regulations that apply to them.
In fact, just 2 percent of senior decision-makers
6. Organizations expect cloud service providers
know all the clauses of regulations that apply to their
to help with compliance
organizations, a reflection perhaps of the complexity
Eight in 10 organizations are planning, at least in
of those regulations. (See Section #5)
part, to leverage their cloud service provider to help

4 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

#1 Data in a Turbulent World

Rarely has the world experienced such flux. Economic Data Migration Plans
and political upheaval is matched by accelerated “According to the
digitalization, mass movement of populations and fears Is your organization actively migrating its data to a
findings, nearly half
of physical and cyber terrorism. Laws regulating the use different location as a result of the following?
Event Yes No but No and Don’t of organizations will
of personal data and those seeking to give governments
greater surveillance powers in the name of national
plan to no plan
to
know
migrate data as a result
security do not operate in a vacuum. Rather, they GDPR 27% 21% 39% 13% of political changes.”
operate in the context of this upheaval. They present U.K. exit from E.U. 27% 21% 40% 12%

a moral tug-of-war for policy-makers and the societies U.S. policies 27% 20% 40% 13%

in which they operate, as well as a major dilemma for Apple/San Bernardino 23% 18% 45% 15%

business organizations operating within them. Microsoft/U.S. cloud 25% 17% 44% 14%
access
That’s why the first part of this extensive report Government surveillance 27% 17% 39% 17%
into the attitudes, actions and intentions of senior
decision-makers explores the potential impact of In response to three major events, 41 percent have
geopolitical changes and a diverse set of events such or plan to migrate data as a result of the Apple/
as Apple’s reluctance to grant backdoor iPhone access San Bernardino case; 42 percent in response to the
in the aftermath of the San Bernardino shootings of Microsoft/U.S. cloud data access case; and 44 percent
December 2015. as a result of increased awareness around government
To what extent do globally recognized events influence surveillance. These are smaller numbers, but there
data migration plans? According to the findings, nearly remain substantial minorities who intend to act as a
half of organizations will migrate data as a result result of external events.
of political changes, including the forthcoming E.U. It’s worth noting that migration does not necessarily
General Data Protection Regulation (GDPR) (48 percent), mean moving data out of a relevant country. It might
the U.K.’s exit from the E.U. (48 percent), or U.S. policies mean moving it into that country. For example,
(47 percent). Some are actively doing so today. Others organizations may respond to the enforcement of GDPR
have plans to do so. in 2018 by storing data in one of the 28 E.U. member
states (see Section #4 for more detail). On the other

5 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

hand, organizations may choose to respond to the Average Change in Spend Over the Next Five Years
United Kingdom’s exit from the European Union due in “The average
2019 by moving data into or out of the U.K.—depending GDPR and spend within E.U. -$83,654

on customer location. U.S. policies and spend within U.S. -$85,414

reduction among all
organizations as a
Those who work in the healthcare sector are more
The findings suggest there will be a material reduction result of government
likely than others to respond to changes in the E.U. by
rethinking their data migration plans. In both cases,
in spending as a result of geopolitical changes. The policies within the
average reduction among all organizations as a result
52 percent of respondents from the healthcare sector U.S. is projected to be
of government policies within the U.S. is projected to
have already migrated data or are planning to do so.
be $85,414 over the next five years. A similar reduction,
$85,414 over the next
Beyond migration plans, these world events are $83,654, will result within the European Union because five years.”
likely to have implications for technology acquisition of GDPR. So while there may be a short-term increase
and investment. in spending on GDPR compliance, overall enterprise
spend might well decline. Perhaps as significant—
According to the senior decision-makers who
and an illustration of ongoing uncertainty—a fifth of
responded, U.S. policies introduced by the current
respondents do not yet know how U.S. policies (20
administration already have—or will have—an effect
percent) and GDPR (19 percent) will impact
on technology acquisition investments in 63 percent of
enterprise spending.
instances. The same number said E.U. realignment will
impact technology investment while GDPR will have an Impact on Technology Investment
effect in two thirds (66 percent) of cases.
What do these results say about technology spend in
These figures may reflect a belief shared by just over
the near to medium term? They suggest, at the very
half of respondents (51 percent) that heavy-handed
least, that a number of global events and a major
external data protection regulations are holding their
forthcoming regulation are giving organizations pause
organization back from adopting new technologies.
for thought. Some will revise and review spending plans,
To get a sense of the level of investment decline, while some may choose to reduce overall investment.
respondents were asked to quantify likely changes in
spending over the next five years.

6 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

These events are likely to have an impact on decisions

around enterprise infrastructure and the ongoing role
of cloud and cloud services. They may also lead to an
increase in the number of data-focused recruits.

There are likely to be more urgent conversations

about the geographic location of data on premise, in
managed or dedicated data centers, in the cloud, or
in a combination of all three. Data residency will rise
up the corporate agenda, determining the questions
asked of service providers and the location of managed
infrastructure on a country-by-country basis.

This shouldn’t be read, however, as a move away from

cloud as an essential part of data provision. It may,
however, encourage organizations to explore private
rather than public infrastructure in the first instance.

7 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

#2 Data Protection as Competitive Advantage

It’s time to challenge conventional wisdom. Data other data through GDPR compliance could give some World Leaders?
protection is not only good practice, but a legal organizations a competitive advantage.
obligation to meet and an organizational requirement.
It can offer an opportunity to get on top of data storage
Some respondents consider data protection a 70% of respondents agree
competitive advantage and are able to measure its with the statement, “Europe is a
and locate every piece of data that resides within an world leader in data protection by
commercial impact. Nearly three quarters (73 percent)
organization, as well as a chance to reconnect with implementing the GDPR.”
say they are able to quantify the value of security,
customers and clients, establishing consumer trust in
including data protection, to the business while a
the process.
similar number (74 percent) believe organizations 67% of respondents agree with
The following findings bear out this progressive view of are using data protection as a means of attracting the statement, “The GDPR will help
data protection. new customers. promote investment in Europe.”

Consider, for example, the fact that most organizations Rethinking the Value of Data Protection
take public sentiment toward national data privacy
Data protection may provide multiple business benefits.
into account when selecting where to store data.
These benefits include the avoidance of fines and
Accordingly, 47 percent of senior decision-makers in
regulatory penalties, as well as the costs of dealing
this survey said public mood influenced all their storage
with the aftermath of a breach, for example. They may
decisions, while a further 36 percent said it helped
also include the retention of customer trust and the
influence the decision. (See Section #4 for more on
avoidance of reputational damage.
data residency).
Meanwhile, compliance activities can have a benign
Or how about the opportunities GDPR creates? Some
effect on other business processes which, while not
challenging aspects of the E.U.’s forthcoming data
part of this study, are important.
protection regulation are discussed in the following
section, but consider that seven in 10 senior business With clean and secured data, a business can better
decision-makers believe Europe is leading the world in trust the integrity of the analytics it is generating. To put
its approach to data protection. A similar number (67 it another way: no more “garbage in.”
percent) believe GDPR will help promote investment
in Europe. In short, the protection of customer and

8 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Furthermore, lessons learned through compliance Competitive Advantage?

measures to protect customer information can be
applied to other data, such as a company’s intellectual
property. No organization needs the value of its IP,
73% of respondents agree with
the statement, “My organization
nor the competitive advantage it affords, spelled out is able to quantify the value of
to them. security to the business.”

Finally, there is an impact on business culture that

74% of respondents agree with
the statement, “Organizations are
should not be underestimated, especially the effect it using data protection to attract new
has on talent acquisition and retention. The protection customers.”
of data is a proxy for a transparent and ethical
approach to business, exactly the values today’s
workforce craves.

9 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

#3 GDPR: Awareness, preparation and response

Business burden or entrepreneurial opportunity? The data-related legislation anywhere in the world, raising Understanding GDPR
GDPR may be both. the bar for all those operating in Europe, bringing it in
line with the most stringent protection regulations that Those respondents whose
Due to be enforced starting on 25 May 2018, GDPR is
currently apply in the Netherlands and Germany. It also organization does business within
the successor to the 1995 Data Protection Directive. the E.U. were asked, “To what
brings together security and privacy in a way that hasn’t
Although applicable to each E.U. member state, it is extent does your organization
been done before and continues to allow member
relevant to any company—regardless of country of understand what the GDPR means
states to make local variations.
origin—that collects, stores and uses the data of E.U. to them?”
residents as either customers or employees. It is In terms of those who need to be ready for May 2018,
relevant to any organization that has staff but no clients 86 percent of respondents believe their organization 5%
or customers in Europe. has either a “good” or “complete understanding” 10%
of GDPR.
GDPR is long-awaited because much has changed since
1995. Two decades ago, the commercial internet was in Of those respondents who have minimal or no 44%
its infancy and most of the data an organization held understanding of what GDPR means to them, there is
was stored within its perimeter, typically on premise. notable variation by sector and size of company. For
While some corporate functions were out-sourced, example, 27 percent of public sector organizations say 41%
and data was transferred for payroll, for example, the they have minimal or no understanding while that is the
number of third-party vendors and the complexity case for only 8 percent of private healthcare companies.
of their tasks has changed dramatically. Today, data Meanwhile, organizations of 5,000 employees or
access is 24/7, on demand, mobile and cloud-based. more rated themselves lowest by this measure, with Complete understanding
Meanwhile, the Internet of Things, machine learning and 19 percent of respondents suggesting minimal or no
Good understanding
artificial intelligence have changed our understanding organizational understanding of GDPR. This high figure
of what constitutes personally identifiable information may reflect the difficulty larger organizations face. Minimal understanding
(PII), its access and its use.
Notwithstanding this, the generally high level of No understanding at all
GDPR is not only the most ambitious piece of data understanding might reflect the time organizations
protection regulation this century—directly affecting claim they have spent planning for GDPR—24 months
a trading bloc with a combined population of over 500 on average, with just under half (47 percent) planning
million people—it is perhaps the most complex piece of for more than two years.

10 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Planning for GDPR Among the significant new elements of GDPR, especially
for companies focused in the E.U. where not all “In terms of those who
countries have laws around data breach reporting, is
How long has your organization been planning for the need to be ready for
upcoming E.U. data protection regulation (the GDPR)? the requirement to report a breach to the regulator
“without undue delay, and where feasible, not later
May 2018, 86 percent of
More than four years 1%
than 72 hours” of becoming aware of it or explain the respondents believe their
Between three and four years 25%

Between two and three years 21%

reasons for the delay. Are organizations in a position organization has either
to do this? The findings suggest it will be a challenge. a “good” or “complete
Between one and two years 20%
Asked how quickly they thought they could report a
Between six months 11% understanding” of GDPR.”
and one year breach today, only a quarter (26 percent) believe they
Less than six months 1%
could meet the three-day deadline.
We haven't started planning 4%
yet but it will affect us
We haven't started planning
yet as it will not affect us
5% Readiness to Report Breaches
I don't know 14%
On average how quickly can your organization report a breach
Average = Two years
of your defenses in regards to personal data that you hold?
Longer than 1 month 1%

To illustrate the pervasive nature of European-related Between 2 weeks and 1 month 23%

legislation, consider that three quarters of survey Between 1 to 2 weeks 20%

respondents, regardless of country of origin, currently Between 3 and 7 days 18%

Between 1 and 3 days 23%

do business within the E.U., with a further 13 percent
Less than 24 hours 3%
not conducting business there but planning to. Only
Don't know 13%
one in 10 organizations insists it has no plans to do
business in Europe, a figure skewed by the 21 percent Average = 11 days

of public sector organizations that answered no. It’s

worth repeating that any organization that collects,
On average, it takes organizations 11 days to report a
stores or uses the PII data of European Union residents
breach of their defenses, nearly four times longer than
will fall under the auspices of the GDPR, regardless of
necessary to meet GDPR’s timetable. Nearly a quarter
whether they consider themselves actively carrying out
of respondents say it takes two weeks or more. On
business in the E.U. or whether they ever let the data
a more positive note, 78 percent of respondents are
leave the E.U.
either set up to report a breach to a third party or are
planning to be able to do so.

11 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Digging a little further into attitudes toward breach Employing a Data Protection Officer Attitude toward reporting
notices, the findings suggest that the majority of breaches
organizations believe there’s a stigma associated with Has your organization employed a data protection officer?
reporting a data violation and nearly half (47 percent)
would prefer to accept a fine rather than make a
Yes, we already have one 50% 63% agree that, “In my industry,
No, but we plan to within 20% reporting a breach has a stigma
the next six months
breach public. attached to it that will have a
No, but we plan to in the 11%
next six months to one year negative effect on our brand.”
When asked to explore the negative impact of a data No, but we plan to in th
next one to two years 4%
breach, organizations identified loss of customer
confidence (58 percent), loss of customers (46 percent) No, and we do not plan to 7%
47% “would rather risk a fine
and financial penalties (45 percent) as the three worst Don't know 8% than admit a breach because of the
outcomes. And when asked how they would cover negative impact a declaration of a
breach would have on the brand.”
the cost of a breach incident, 44 percent said they
Finally, respondents were asked if their organization
would look to pay for it—at least partially—through an
plans to take advantage of its cloud service provider
insurance policy, while 39 percent said they would draw
(CSP) to help it achieve data protection compliance. A
on an allocated budget.
large majority (80 percent) said they do plan to, with 38
GDPR also requires that most organizations employ percent intending to pass data controller responsibility
a data protection officer (DPO). The vast majority of to their CSP, which is not allowed by the regulation. The
organizations (81 percent) surveyed for this research remaining 42 percent accepted that, as codified in the
already have one in place or will have one in place GDPR, despite reliance on the cloud service provider,
before GDPR takes effect—it’s already a requirement significant responsibility is likely to remain with the
for certain companies in certain E.U. member states. organization itself.
However, the research suggests that for two thirds of
organizations GDPR is either the “only” or the “main” Reliance on Cloud Service Providers
reason for employing a DPO.
Does your organization plan to leverage its cloud service
providers to help you achieve data protection compliance?
Yes, definitely, we have/will pass data controller responsibility 38%
to them

Yes, to an extent, although responsibility will remain with us 42%

No, they will never be responsible for managing the personal 12%
data we hold

Don’t know 8%

12 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Yet when asked if they agree that “organizations are

incorrectly placing their faith in cloud service providers “GDPR also requires
to manage GDPR for them,” 58 percent said yes. The
advice for those organizations engaging cloud service
that most organizations
providers is simple: read the small print. Why? Because employ a data
uncertainty remains until enforcement begins. GDPR protection officer
introduces explicit responsibility on the processor for (DPO). The vast majority
the first time. However, that may not mean that ultimate
of organizations
responsibility shifts substantially to a cloud
service provider.
(81 percent) surveyed
for this research already
Controllers and Processors
have one in place or
To quote the GDPR, “the controller shall implement will have one in place
appropriate technical and organisational measures to
before GDPR
ensure and to be able to demonstrate that processing
is performed in accordance with this Regulation.” And takes effect.”
while processors such as cloud service providers do
have obligations under GDPR, it is for the controller
to ensure they employ only processors—including
CSPs—“providing sufficient guarantees to implement
appropriate technical and organisational measures
in such a manner that processing will meet the
requirements of this Regulation.”

13 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

#4 Where is My Data?
Data storage, location and migration
As this report makes plain, the residency of data has Asked why they chose a particular location for data Where is my data?
become a strategic decision for most organizations, storage, 46 percent of respondents indicated that they
accelerated by four interrelated factors. First, factors were led by data protection regulation in that country. How confident are you that you
such as geopolitical change are influencing data know where your organization’s
Reasons for Storage Location corporate data is physically stored?
location. Second, there is also impact from a changing
regulatory framework – that means varied and, in some Why does your organization store its data in the country that it
cases, tightening data protection regulations coupled does?
with governmental attempts to gain greater access to Data protection regulation laws in that country 46% 9%
mass communications data. Third, the nature of data My organization requires us to store data in that country 37%

storage and transmission has changed dramatically Our chosen cloud service provider is located in a specific 34%
location (the CSP is more important to us than the location)
over the last two decades, notably as a result of the
growth of the commercial internet and cloud computing Cheaper provider costs 30% 47%
41%
as a model of choice. Finally, there is the increasing Reputation of security 30%

commercial value of data in the digital era. Vendor lock-in 23%

As a result, the need to answer a seemingly simple

Among other responses, a third (34 percent) said
question—where is my data?—has risen up the
location is led by their cloud service provider of choice,
organizational agenda.
30 percent cited cost and reputation of security, while Completely confident – we know
where all of our data is all of
An overwhelming 97 percent of respondents are nearly a quarter (23 percent) said that their hands were the time
confident that they have some knowledge of where tied by their technology vendor.
Somewhat confident – we know
their data is physically stored. Dig a little deeper, the country it is stored physically in
It is not just protective legislation that influences
however, and a smaller 47 percent say they know where most of the time
storage decisions—laws such as the U.K.’s Regulation of
their data is stored at all times. Of the remainder, 41
Investigatory Powers Act (RIPA) and the U.S. Patriot Act, Somewhat confident – we know
percent know the country it is stored in most of the the region it is stored physically in
designed to grant government bodies greater access all of the time, but not the specific
time, while 9 percent know the world region but not
to surveillance data, also play a part in organizational country it is physically in
the specific country. While specifics may not matter in
decision-making.
some instances, it will in others. For example, it may be
become essential to know that data is stored in the U.K.
rather than simply somewhere in Europe.

14 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Six in 10 (61 percent) respondents admit that laws again, followed by the U.K., Germany and France. Storage Preference
negatively affect where their organization’s data is Intriguingly, those resident in each country believe their
stored. Over three in 10 say that RIPA (32 percent) or native land has the most stringent rules: 96 percent of Which countries would you prefer
the Patriot Act (31 percent) stop organizations storing Germany-, 89 percent of U.S.-, 88 percent of U.K.- and to store your organization’s data
data in the U.K. and the U.S., respectively. A larger 79 percent of France-based decision-makers. (For more in because of the data regulation
proportion (35 percent) suggest that GDPR will deter on some of the main regulations affecting each of the requirements within those
countries?
them from storing data in relevant European Union countries in this research, see section #5 below.)
countries. Just under a quarter (23 percent) insist that U.S. 48%
Tough Laws
there are no laws that deter their organization from Germany 35%
storing data in any country. Which three countries do you believe have the most stringent
U.K. 33%
data protection requirements (e.g., laws, policies, procedures, etc.)
U.S. 68% France 25%
Storage Deterrence
U.K. 57%
Canada 20%
What laws deter your organization from storing its data in the
Germany 53%
country where they are relevant? Japan 19%
France 35%
GDPR 35%
Australia 12%
RIPA 32%
By contrast, when asked which country to avoid when Singapore 11%
Patriot Act 31%
considering storage decisions, the list is topped by
No laws 23% Brazil 8%
Mexico (38 percent), India (28 percent), Brazil and South
Africa (both 27 percent). Mexico 4%
Regardless of laws that might act as a deterrent, the
India 4%
U.S. (48 percent) is the single most popular country to
The popularity or otherwise of countries as data
store data in, followed by Germany (35 percent) and the U.A.E. 4%
storage destinations is likely to reflect perceptions of
U.K. (33 percent).
the different data protection regimes in different parts
These preferences largely reflect where organizations of the world. The impact of those country-specific
currently store their data. Today, the top three locations regulations is explored in the next section.
are the U.S. (41 percent), the U.K. (25 percent) and
Germany (22 percent). They also reflect the nations
that most believe have the toughest data protection
requirements. The U.S. (68 percent) is top of the list

15 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

#5 Country-specific Regulations:
Understanding and impact
Any organization with global ambitions, workforce and Where relevant, the majority (52–74 percent) of
customers will soon butt up against myriad country- respondents say that their organization has complete “Where relevant,
specific regulations. Throw in sector-specific laws— understanding of the regulations covered in Australia, the majority
designed, for example, to protect banking customers or Germany, the U.K. and the U.S. The exception is GDPR
(52–74 percent) of
hospital patients—and myriad becomes matrix. (44 percent), a regulation yet to be enforced. Elsewhere,
only a minority claim complete understanding of respondents say that
As discussed earlier, GDPR (see Section #3) will bring
regulations in Brazil (40 percent), Singapore (34 their organization
consistency to data protection laws within the E.U.’s
trading bloc of over 500 million consumers, but
percent), France (28 percent) and Japan (13 percent). has complete
elsewhere there’s nothing but complexity. Consider, Understanding tends to correlate with comfort in understanding of the
for example, that some countries don’t have a single, adhering to a particular regulation. However, the levels regulations covered in
omnibus piece of legislation devoted to the protection of comfort tend to be far lower than both claimed Australia, Germany, the
of personal data. Rather, the U.S. invokes a multitude knowledge and understanding. In only two cases—the
U.K. and the U.S.”
of sector-specific laws to define and enforce the scope U.S. Health Insurance Portability and Accountability Act
of data use. Equally, there are countries that partially (HIPAA) and the Federal Trade Commission Act—are
devolve data protection to federated states: Germany more than half of respondents “extremely comfortable”
and (again) the U.S. with adherence.

It is in this context that the McAfee/Vanson Bourne Tough Laws

survey results shed light on the understanding of,
Asked “How comfortable is your organization with adhering
comfort in adhering to and deep knowledge of 11 to the following data protection regulations?,” the following
relevant data protection regulations that take us from percentage said they were “extremely comfortable”:
Australia, Japan and Singapore in the Asia-Pacific region HIPAA (U.S. Healthcare) 54%
to the United States via France, Germany and the U.K. FTC Act (U.S.) 50%
in Europe. Financial Services Modernisation Act (U.S.) 42%

Privacy Act (Australia) 42%

BDSG (Germany) 38%

DPA (U.K.) 34%

Brazilian Civil Rights Framework for the Internet 32%

GDPR (Europe) 30%

16 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Tough Laws On average, German respondents could

identify 55 percent of the clauses that relate to
Asked “How comfortable is your organization with adhering
Bundesdatenschutzgesetz, the country’s federal data
to the following data protection regulations?,” the following
percentage said they were “extremely comfortable”:
protection act. That proved to be the highest average
PDPA (Singapore) 20%
across all 11 regulations. Most identified fewer than half
DPA (France) 18%
of relevant clauses.
APPI (Japan) 10% Perceived comfort and understanding don’t necessarily
add up to deep knowledge. For example, 74 percent
Respondents were then asked to identify specific of relevant respondents expressed ”complete
clauses within relevant regulations. Rather than express understanding” of HIPAA, yet on average they were only
their sense of readiness, this question explored the able to identify 47 percent of the Act’s clauses. Similarly,
detail of their knowledge. It threw up some interesting three quarters of those that need to comply with
findings. For example, just 2 percent of senior decision- the Financial Services Moderation Act said they had
makers knew all clauses of the data protection complete understanding, yet they knew only 38 percent
regulations relevant to them. of the Act’s specific regulations.
Senior Decision-Makers’ Understanding of the Laws By contrast, some of those expressing little confidence
Analysis of the average percentage of clauses respondents in their knowledge—those expected to adhere to
correctly identified as related to the following data protection Singapore’s Personal Data Protection Act or the E.U.’s
regulations: GDPR, for example—turned out to know more than
BDSG (Germany) 55% their contemporaries.
DPA (U.K.) 52%

GDPR (Europe) 51%

While not every decision-maker needs intimate
PDPA (Singapore) 49%
knowledge of every clause of every relevant regulation,
Privacy Act (Australia) 49%
the business does need that knowledge. These results
suggest more education is required, which in turn may
Brazilian Civil Rights Framework for the Internet 48%
help organizations adhere to the regulations.
HIPAA (U.S. Healthcare) 47%

FTC Act (U.S.) 42%

APPI (Japan) 41%

DPA (France) 39%

Financial Services Modernisation Act (U.S.) 38%

17 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Summary
There is much to consider from the findings Through the uncertainty there is much to be positive
discussed over the previous five chapters. This report about. Good data governance underscores good “Firmer data protection
provides a context in which to compare individual organizational management. Organizations will make rules are beneficial
and organizational attitudes toward data residency, better use of their data the more they understand what
not just to customers
protection and preparedness in the light of a changing they possess and where it resides. As this report makes
regulatory landscape. It also provides a comprehensive plain, there is much to learn. and clients but to the
view of how senior decision-makers view 11 key data organization itself.”
To find out more about the data protection opportunity
regulations from around the world, including the
for businesses, visit McAfee’s GDPR site:
forthcoming GDPR.
mcafee.com/GDPR.
One of the most notable themes that runs through the
findings is an apparent contradiction in the impulses
of respondents. On the one hand, global events and
a tightening data protection regime is giving senior
decision-makers pause for thought over organizational
spend and investment. On the other hand, most
organizations looking for the best place to locate their
data gravitate toward those countries with the most
stringent data protection rules.

So while compliance might be burdensome and

disruptive in the short term, there is a recognition—
albeit tacit—that firmer data protection rules are
beneficial not just to customers and clients but to the
organization itself. This is perhaps best articulated in
the belief that data protection can be turned into a
competitive advantage, a so far under-explored boon.

18 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 REPORT

Appendix: Methodology and Survey

Demographics
Research into “Data Protection Regulation” was
conducted by Vanson Bourne on behalf of McAfee with
field work running from April to May 2017. The findings
are based on the responses of 800 senior business
decision-makers from across eight countries and a
range of industry sectors and sizes, starting at those
with 500 employees.

Interviewees by Country: Marketing communications 3%

Australia: 100 Trading/merchandising/retail shop floor 2%
Brazil: 50 Quality control 2%
France: 100 Risk/fraud/compliance/governance 2%
Germany: 100 Legal 2%
Japan: 100 Purchasing/procurement 1%
Singapore: 50 Facilities/property 1%
United Kingdom: 100 Production/manufacturing 1%
United States: 200 Logistics/supply chain/transport/fleet 1%

Interviewees by Function: Interviewees by Industry Sector:

Information technology 26% Financial services: 200
Finance 11% Private healthcare: 200
Business direction and strategy 10% Public sector: 200
Health and safety 10% Other enterprise sectors: 200
Business development/sales/channel 9%
HR/training 6% Interviewees by Organization Size:
Client services/relationship management 5% 500-999 employees: 201
Operations 4% 1,000-2,999 employees: 215
Engineering 3% 3,000-4,999 employees: 204
Design/research and development 3% 5,000 or more employees: 180
19 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world
 About McAfee
McAfee is one of the world’s leading independent
cybersecurity companies. Inspired by the power of
working together, McAfee creates business and
consumer solutions that make the world a safer place.
By building solutions that work with other companies’
products, McAfee helps businesses orchestrate
cyber environments that are truly integrated, where
protection, detection and correction of threats happen
simultaneously and collaboratively. By protecting
consumers across all their devices, McAfee secures
their digital lifestyle at home and away. By working
with other security players, McAfee is leading the effort
to unite against cybercriminals for the benefit of all.

www.mcafee.com.

*Methodology The full data set is available on request

The research, carried out by Vanson Bourne, interviewed 625 IT decision makers with influence over their organization’s security solutions. Respondents were from private and public 1. w ww.pwc.com/gx/en/consulting-services/
organizations with a minimum of 500 employees, with particular focus on the critical infrastructure sectors of finance (159 respondents), energy (139 respondents), transport (130 information-security-survey/key-findings.
respondents), and government (128 respondents). The research was undertaken in the US, UK, France, and Germany. There were 250 interviews conducted in the US and 125 in each of jhtml
the other countries. 2. McAfee Labs Threats Report, May 2015,
www.mcafee.com/us/resources/reports/
rp-quarterly-threat-q1-2015.pdf
3. w ww.mcafee.com/us/resources/
reports/rp-dissecting-top-5-network-
methods-thiefs-perspective.pdf www.
aspeninstitute.org/video/future-cyber-
threats-featuring-lisa-monaco
4. https://communities.intel.com/docs/
DOC-1151

2821 Mission College Blvd. McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered trademarks of McAfee, LLC or its
Santa Clara, CA 95054 subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2017
888.847.8766 McAfee, LLC. 3576_1017_rpt-beyond-gdpr
October 2017
www.mcafee.com

20 Beyond the General Data Protection Regulation (GDPR): Data residency insights from around the world