Stewart Dresner, chief executive of PL&B UK, said the least expensive options may mean data is stored in countries like the US where data privacy is not guaranteed or India where there is no legal framework to support it.
"Where data is held is one of the biggest strategic questions for IT managers," he said.
Security legislation in the US allows authorities access to any data stored in the country, which has led the Swift international financial messaging network to begin building a new operational centre in Switzerland to ensure European data is not accessible by the US authorities.
A Swift spokesman said the centre in Switzerland was part of plans to create geographical network zones and would be paired with an existing site in the Netherlands to create a European zone by the end of 2009.
He said the new operating centre was also intended to increase Swift's network resiliency and help increase the organisation's capacity for processing financial transactions.
Swift was criticised by European countries when the organisation was forced to give US authorities access to financial transactions after the 9/11 attacks in September 2001.
Dresner said Swift's decision was an important one and likely to set a trend that other organisations will follow.
In India, he said the lack of a legal framework to protect data privacy means the outsourcing industry is governed only by a self-regulated code of practice and data privacy is protected only by the terms of the outsourcing contract.
"In Europe, business organisations have the benefit of contract terms as well as a legal framework, which is leading the world in data protection," he said.
"It is a more secure environment where there are civil and criminal penalties [enforcing data privacy]," he said
Similar data protection legislation exists in countries like Canada, Australia, Hong Kong, New Zealand and Japan, but in many other countries laws are weaker and offer less protection.
The need for businesses to take care over where they store data is one of the topics to be addressed at PL&B's annual international data protection conference to be held in Cambridge next week.
Speakers include Information Commissioner Richard Thomas, who will talk about the role and powers of his office.
Dresner said other topics include balancing privacy and commercial objectives in social networking communities, the prospect of European data breach laws, integrating privacy compliance into corporate culture, and fitting data protection law into global risk management programmes.