Partner Article
Data Residency: Why It Matters Where a Business' Files Live
Most business owners assume their cloud files sit somewhere safe and that's the end of it. But the physical location of those files decides which government can demand access to them, which laws protect them and what happens if a data transfer framework collapses. It's a detail that rarely comes up until something goes wrong.
What Data Residency Actually Means
Data residency is simply the country where your files are physically stored. When you upload a document to a cloud service, it ends up on a server in a real building in a real place. That building sits under the legal jurisdiction of whatever country it's in.
This matters because the laws of that country apply to your data, even if your business is based in Manchester or Leeds. A file stored in a US data centre can be subject to US law. A file stored in Frankfurt falls under EU rules. The flag on the building changes the rules of the game.
Plenty of providers don't make this obvious. You sign up, you start uploading and you never think about where the servers actually are. For sensitive client information, financial records or intellectual property, that's a gap worth closing.
Why US-Hosted Data Carries Extra Risk
The big issue with US-hosted data is government access. Under laws like the CLOUD Act, US authorities can compel American companies to hand over data they hold, even when that data is stored on servers outside the US. If your provider is a US company, or has US operations that put it under US jurisdiction, your files can be in scope, even when they're stored on a server in Europe.
This caused real problems for EU-UK data flows. The Schrems II ruling in 2020 struck down the Privacy Shield framework that allowed data to move freely between the EU and the US. The court decided US surveillance laws didn't give European data enough protection. Businesses were left scrambling to add extra legal safeguards just to keep using American services.
A replacement framework now exists, the EU-US Data Privacy Framework, adopted in July 2023. It survived its first legal challenge in 2025, but more are expected, so it still sits on shaky ground. If you're relying on it, you're relying on something that might not survive the next court case.
How to Verify Where a Provider Stores Your Data
Don't take a provider's marketing at face value. Ask them directly which country your files are stored in, who legally controls those servers and which jurisdiction applies if a government comes knocking. A good provider will answer plainly. A vague answer is a red flag.
One option that sidesteps the EU-US tug of war is to store data in Switzerland. Swiss-based providers offering enterprise cloud storage operate under some of the strictest privacy laws in the world, in a jurisdiction that sits outside both EU and US government access frameworks while still aligning with GDPR through Switzerland's adequacy status.
There's one catch worth checking: Swiss hosting only keeps you clear of US reach if the provider itself isn't owned by a US parent or otherwise tied to US jurisdiction. A truly Swiss-owned provider is the useful middle ground for a UK business.
When you're checking a provider, it helps to run through a few basics:
The exact country your data is stored in.
Who legally owns and controls the servers.
Whether the provider uses end-to-end encryption, so even they can't read your files.
Which compliance standards they actually hold, such as ISO 27001.
What the EU Data Act Changed in 2025
The EU Data Act became applicable on 12 September 2025, and it shifts the balance back towards businesses. One of its biggest changes is the right to switch cloud providers without being trapped by technical or contractual barriers.
Under the new rules, providers have to let you move your data to a competitor or to your own infrastructure, and they must hand it over in a structured, machine-readable format. Switching fees are being phased out, and from 12 January 2027 providers won't be allowed to charge them at all. Until then, they can only pass on the actual cost of the switch. The aim is to stop businesses getting locked into one provider just because moving away is too painful.
For UK firms working with EU clients or EU-based providers, this is worth knowing. It gives you more freedom to pick a provider based on where they store data and how they protect it, instead of staying put because leaving feels impossible.
Concluding Notes
Where your files live isn't a technical footnote. It decides who can legally access your data, which protections apply and how exposed you are if a transfer framework falls apart. Before you commit to any cloud service, find out exactly where the servers sit and what laws govern them. A few simple questions now can save you a serious headache later.
This was posted in Bdaily's Members' News section by Helen White .
Our Partners
The North's future doesn't end at Manchester
Exit or legacy? Why every owner needs a plan
Who speaks up for SMEs when giants get bigger?
The true value of HR in an AI-driven working world
What new business rates guidance means for pubs
Business success starts with people investment
It's time to confront the digital poverty crisis
Why a business exit is no longer all or nothing
Culture is the foundation for sustainable growth
Business must help young people take root in work
Purposeful procurement for long-term growth
Time to rethink outdated views on apprenticeships