UK
The UK GDPR and Data Protection Act 2018 require processors of personal data (including those organisations outside the UK) to protect data subject rights and limit reuse of personal data for their own purposes. For cross-border data transfers, UK rules also rely on adequacy decisions and mechanisms such as the International Data Transfer Agreement (IDTA). The FCA and PRA also require firms to assess data localisation risks and maintain access and audit right over third-party providers. In addition to this, the draft Cyber Security and Resilience Bill (not yet in force) envisages bringing certain outsourced third-party suppliers within scope of the law, giving the ICO information gathering, investigation and enforcement powers to regulate these entities.
EU
The Digital Operational Resilience Act (DORA) imposes, among other things, strict controls on foreign information and communications technology (ICT) services provided to EU-based financial institutions.
EU/US
EU/US – Concerns persist over the longevity of the EU-US Data Privacy Framework, a key mechanism underpinning data flow between those jurisdictions.
Australia
Through its Foreign Investment Review Board (FIRB) regime, conditions may be imposed on offshore investors, including requirements on how sensitive data of the investee entity is accessed, managed and controlled (eg, health insurance data).
China and Vietnam
Cybersecurity and data security laws in jurisdictions like China and Vietnam impose strict data sovereignty, localisation, and reporting/audit obligations on operators of “critical information infrastructure” (including banks) in relation to their IT systems, vendors, and data storage providers. In April 2025, the People’s Bank of China issued guidelines clarifying what categories of financial data may be exported, the permissible transfer scenarios, and the safeguards required for cross-border transfers.
India and Indonesia
The banking sector regulators have required banks to store certain types of data onshore unless an exemption is applicable.
