Cloud computing now has a role to play in almost every business. But when companies are outsourcing their data storage or processing to third parties, it can be easy to overlook compliance issues and assume that your cloud provider will take care of any requirements.
However, no matter where your data resides, or who owns the servers it sits on, the information itself is still ultimately your responsibility, and if there is a breach, you'll be the one explaining yourself to unhappy customers and regulators.
There are a few common issues related to compliance that might arise when you're shifting data from your own servers to the cloud, so it’s worth paying close attention to these and make sure you understand all your legal obligations before you embark on any major migration.
One of the biggest changes in privacy legislation in a generation, the EU's General Data Protection Regulation (GDPR) came into force in May 2018 and has forced almost every business to rethink how it handles its data. Importantly, it doesn't only apply to businesses based in the EU, but rather, it covers any firm that holds any personal data of any EU citizen, whether they’re employees, customers, suppliers or even marketing contacts.
The implications of GDPR have therefore been wide-reaching, with some firms, such as many US news publishers, opting to stop doing business in the EU altogether rather than attempt to comply with the rules. And for cloud computing users, it will be a highly complex process to ensure all of their suppliers are compliant.
According to Netskope, the average European enterprise uses 608 cloud apps, all of which will have to be evaluated for their compliance. Key questions that need to be asked include:
- How data retention requirements will be met, particularly when contracts come to an end
- What safeguards do providers have in place to prevent data from being misused
- What reporting provisions are in place in the event of a breach
2. Privacy Shield
With so much business being conducted between the EU and the US - which have very different regulatory requirements when it comes to the safeguarding and use of personal data - the Privacy Shield agreement has become one of the most important mechanisms to ensure companies on both sides of the Atlantic can comply with data protection regulations when transferring data between the two jurisdictions.
For cloud computing users - especially those in Europe, where regulations are stronger - the Privacy Shield is regarded as an effective mechanism for ensuring EU companies can comply with their legal obligations when it comes to transferring personal data from the European Union to the United States. Therefore, choosing a cloud provider that is certified as compliant with this agreement is a must.
However, businesses should not view this as a panacea for their compliance issues. For starters, it won't automatically make you GDPR-compliant, so you can't rely on it for meeting these requirements. What's more, European politicians have raised concerns that it is not meeting its promise due to non-compliance on the US side, which could leave EU citizens open to surveillance by US authorities.
3. Outsourcing to managed partners
If you're using a managed services partner to handle your IT infrastructure or end-user systems, you need to fully understand their systems and policies to ensure both you and they are in compliance with relevant legislation. For starters, this means taking a close look at the service level agreement you have with them to ensure you know exactly what they are responsible for and what they are not.
Key areas to consider when using outsourcing partners include determining exactly where any data will be stored and transferred via. This is particularly important if data is being sent to and from countries outside the EU or Privacy Shield agreement, as it may be more difficult for businesses to guarantee the safety and privacy of their data.
Other issues to consider include:
- What data recovery provisions are in place
- How they will ensure the integrity of data
- Which regulators need to be informed in the event of any breach
The IT sector is an increasingly globalized business thanks to technologies such as the cloud, and many firms have to deal with multiple regulations across several countries. Therefore, understanding what the compliance requirements are in every location your data may be in - whether you have a physical presence there or not - is essential if firms are to remain compliant.