Why Data Residency Matters for ERP#
ERP systems contain an organisation's most sensitive data: financial records, customer information, employee data, supply chain details, intellectual property.
For New Zealand and Australian organisations, data residency is particularly complex. Both countries have distinct privacy frameworks that impose obligations on data handling.
The New Zealand Framework: Privacy Act 2020#
Key Principles#
Principle 5 - Storage and Security: Personal information must be protected by reasonable security safeguards.
Principle 12 - Disclosure overseas: Personal information may only be disclosed to an overseas agency if the recipient is subject to comparable privacy protections.
The Notifiable Data Breach Scheme#
The Privacy Act 2020 introduced a mandatory data breach notification scheme. Organisations must notify the Privacy Commissioner and affected individuals when a data breach is likely to cause serious harm.
Key requirements: - Assess suspected breaches promptly - Notify if serious harm is likely - Document all breach assessments - Report to Privacy Commissioner
The Australian Framework: Privacy Act 1988#
Key Differences from New Zealand#
Australian Privacy Principles (APPs): Australia has 13 APPs that govern personal information handling.
Notifiable Data Breaches (NDB): Australia's breach notification scheme has been in place since 2018.
Enforcement: The Australian regulator (OAIC) has been more active in enforcement.
APP 8: Cross-Border Disclosure#
APP 8 requires that before disclosing personal information to an overseas recipient, organisations must take reasonable steps to ensure the recipient does not breach the APPs.
Approaches: - Consent from the individual - Contract with overseas recipient - Binding corporate rules - APEC CBPR certification
Cloud ERP and Data Residency#
The Questions to Ask#
Where is data stored? Primary and disaster recovery locations.
Where is data processed? Processing may occur in different locations than storage.
Who can access data? Vendor personnel location and access controls.
What happens on termination? Data extraction and deletion procedures.
Vendor Assessment Framework#
Contractual assessment: - Data processing agreement - Standard contractual clauses - Data residency commitments - Audit rights
Technical assessment: - Data location controls - Access controls - Encryption (transit and rest) - Certification (ISO 27001, SOC 2)
Industry-Specific Requirements#
Financial Services#
APRA (AU): CPS 234 information security requirements.
RBNZ (NZ): Outsourcing policy requirements.
Healthcare#
Health Information Privacy Code (NZ): Specific requirements for health information.
Australian Privacy Act amendments: Stronger protections for health information.
Government#
NZ Government: Protective Security Requirements (PSR).
AU Government: Information Security Manual (ISM), Protective Security Policy Framework (PSPF).
Practical Compliance Steps#
1. Data Mapping#
Understand what personal information is in your ERP and where it flows.
2. Risk Assessment#
Assess the privacy risks associated with your ERP data handling.
3. Vendor Due Diligence#
Evaluate cloud ERP vendors against privacy requirements.
4. Contract Negotiation#
Ensure contracts address data residency and privacy requirements.
5. Ongoing Monitoring#
Monitor vendor compliance and regulatory changes.
Conclusion: Compliance Is Manageable but Not Automatic#
Data residency compliance for cloud ERP is not automatic. It requires:
- Understanding the legal framework in both NZ and AU
- Careful vendor assessment and contract negotiation
- Technical controls that match compliance commitments
- Ongoing monitoring and governance