Data generated in a country or about a country’s citizens is often required to be handled in specified ways based on the laws of that country.  Some of these laws require that the data be kept in the country or only exported to countries with the same or similar laws regarding the use and handling of that information.

More and more countries are requiring data about their citizens to be kept in the country or only exported to countries with the same or similar laws regarding the use and handling of that information.

Knowing where data is stored or with whom and to where data is shared gives them the ability to know if they are in compliance with local laws.

It is generally expected that data originating in a country remains in that country. The exception is the European Union (EU) where there is an agreement that all member countries must have a minimum set of laws protecting data and privacy of EU citizens. It is acceptable to move data between EU countries because of this agreed upon level of protection.

Third party data processing is where your organization utilizes the services of another organization to perform some action involving the data supplied or gathered on behalf of the originating party.  That service may store, process, gather, transform, or otherwise have access to the data for your business purposes.

They ask about the use of third party data processing because their use introduces additional factors in their management of data to meet legal and regulatory requirements. Additionally, every party that has access to the data could be a weak spot where the data may be disclosed, changed improperly, or lost.

They expect the disclosure of any use of third parties. The use of third parties will require more information to be provided about the handling of their data by third parties.  Likely, additional questions will include the nature of the relationship to the organization, where the data will be stored and processed, and what security measures will be taken by the third party.