There are benefits and challenges associated with using the public cloud for compliance with data privacy regulations. While the activities performed to keep data safe and demonstrate compliance are shared between the customer and provider, an important fact to remember is that the organization that owns the data is responsible for keeping it secure. The customer will face more serious consequences than the cloud provider if there is a data breach or failed compliance audit.
Benefits of Cloud Compliance
Some of the same reasons for the general interest in cloud computing apply to enterprises concerned about data privacy compliance. The benefits of using a cloud provider include:
- Access to cutting-edge technology that may be beyond the means of individual customers to provide by themselves;
- Experienced teams of security and compliance specialists who may have substantially more knowledge than that of in-house personnel;
- The ability to quickly build secure systems to cope with evolving regulatory standards.
Implementing a compliance program can stress an organization’s technical and human resources. The cloud offers a simplified path that enables companies to rapidly embrace regulatory compliance.
Challenges of Cloud Compliance
Companies that operate in more than one jurisdiction can be faced with being subject to multiple sets of data privacy guidelines. This can be challenging for any organization and the challenge can be exacerbated when using a cloud provider to protect enterprise data resources.
Many data privacy regulations have restrictions on where personal data is stored. It may have to physically remain in the jurisdiction in which the citizens live and transferring it to other geographical areas may be prohibited without proper consent.
This can cause problems when a cloud provider is adding capacity or failing systems over to address an outage. Data that had been stored under a specific privacy regulation can be inadvertently moved to a restricted location at the risk of a failed compliance audit.
Questions for Your Cloud Provider
Effective data privacy compliance is possible with a cloud provider as long as some conditions are met and the roles of all parties are fully defined and understood. Some questions that an organization should ask its prospective cloud providers are:
- Who controls the encryption keys used to secure personal data?
- What type of data oversight such as intrusion detection and security audits will be performed?
- In which geographic location is my data being stored and can it be guaranteed that it will remain there?
- What types of reporting are available to demonstrate compliance to regulatory auditors?
- Who will have access to sensitive corporate data?
If an enterprise is not satisfied with the answer to these questions, they probably should continue the search for the right vendor. Large cloud providers are making custom configurations available that help address the challenges of complying with data privacy standards. Make sure your company’s sensitive data is handled appropriately by all third-parties, including your cloud providers.