DRHCOPS01-BP01 Understand your organization's specific legal and compliance requirements specific to data residency

Your use of AWS Hybrid Edge services should be guided by your data residency requirements. Clearly understand those requirements to ensure your operational practices meet them.

Desired outcome: Operational practices are aligned to meet your organization's data residency requirements.

Benefits of establishing this best practice: Clarifies requirements which facilitates implementation of those operational best practices including monitoring.

Level of risk exposed if this best practice is not established: High

Implementation guidance

While AWS provides services for local data storage, the responsibility to comply with local laws and regulations lies with you. This is a non-exhaustive list with examples, and you should review specifics based on your business, industry, and geographic location.

• General Data Protection Regulation (GDPR) for any personal data of EU citizens

• Health Insurance Portability and Accountability Act (HIPAA) for protected health information in the United States

• Payment Card Industry Data Security Standard (PCI DSS) for credit card and financial data

• Industry-specific regulations like Sarbanes-Oxley Act (SOX) for financial data

• Country or region-specific data privacy laws like the California Consumer Privacy Act (CCPA)

Thoroughly understand the specific regulations and internal policies that govern your organization's data residency requirements in different locations. This typically involves collaborating with your legal, compliance, risk management, and information security teams to identify and document all applicable rules and constraints.

Once established, list the countries and industries the application will serve. Review the Scenarios section in this lens for examples of how different data residency requirements inform your architecture decisions.