Force 5: Government and Industry Regulations
Regulatory authorities are still trying to catch up with cloud computing let alone the revolution that business digitalization is causing as there is no longer a data center to audit or a firewall log to review.
Cloud Impact on Regulations
As the cloud reduces physical perimeters for organizations, the cloud also reduces and blurs the digital divide between countries and nations. For many organizations, knowing where their data is located should be a fundamental requirement, yet for many, it’s not always obvious. Responding to a government or a regulator request that our data “is in the cloud” is not perhaps the correct response. Instead, the regulator has made it clear in recent data protection law revisions, such as the EU GDPR, that organizations must know where their data is located. It is a legal requirement and as we see updated regulations introduced across the globe, this requirement will be mandatory for most organizations.
Geolocation Impact on Regulations
Not only is geolocation of the data a requirement but also an understanding of why the organization has this data, how long they can retain, what organizational and security controls are required, and what agreements are in place to transfer this data cross-border to other data controllers and data processors. These are all questions the organization should be able to easily answer. As we see a consolidation of these requirements, we also see an acceleration in consumers being aware of their rights under new data protection and privacy Laws. GDPR, LGPD, CCPA, and POPIA are just some national or state examples whereby the national authorities have made it clear that consumer data protection is critical and they are willing to take action against even the largest organizations that do not take their obligations seriously.
Across the globe, countries and unions have applied aggressive mandates to control and protect data in and out of the country. For these countries, cross border connectivity must be controlled with organizations relying on valid agreements to be in place. The complexity of the rules in place continues to impact both global data protection and security teams that need visibility and control over their network and systems and to not run foul of these laws. For many of these laws, there is no simple answer as rules and guidelines continue to be developed to best support the government’s intentions to support both their economy and their trade arrangements.
Recommendations to best manage these regulatory minefields include mapping the organizational data flows to truly understand where your organization may need to deal with these issues before they negatively impact the organization. Understanding where employees connect from and to cloud services, as an example, will help with maintaining a cross-border inventory of the locations that may need additional control and/or analysis. Sharing this information will provide greater visibility across the whole organization and can help support legal, risk, and audit teams in their understanding of the requirements. Building a strong coalition alongside the security team that factors into the location variable that cloud computing brings is a good first step to manage these forces.