Legal issues to consider in moving to the cloud

Migrating workloads to the cloud may seem like a no-brainer, but enterprises need to address regulatory and compliance issues to make it a success.

Cloud has innate flexibility and elasticity, making for great business agility. However, it also creates legal and governance complexity, especially when dealing with multiple clouds across different jurisdictions.

Data sovereignty is one of the biggest issues that enterprises face. It essentially holds that data should be subject to the regulations and governances of the country in which it is collected. Data privacy and sovereignty regulations include the E-evidence regulation and General Data Protection Regulation (GDPR) in Europe, the Personal Information Protection Law (PIPL) in China, and Brazil’s General Data Protection Law (LGPD).

The United Nations Conference on Trade and Development (UNCTAD) estimates that 70% of countries now have data protection and privacy legislation. Additionally, cloud is subject to other laws across different jurisdictions. The U.S. Cloud Act, for example, gives law enforcement authorities the power to request access to data stored by cloud providers, even if it is stored outside the U.S.

The regulatory landscape around data is now so fluid that enterprises need to evaluate the assessment of their data risk regularly. The big challenge is working out how an enterprise can comply with data sovereignty regulations and still achieve global scalability, agility and flexibility.

Keeping track of your data in the cloud

Enterprises are fast embracing multicloud. In a recent survey, 89% of enterprises reported having a multicloud strategy and 80% a hybrid approach combining both public and private clouds. With users accessing data from any device, anywhere, enterprises will struggle to keep track of where their data is stored and ensure it is regulatory compliant.

By year-end 2024, Gartner forecasts that 75% of the world’s population will have its personal data covered under current privacy regulations. With few enterprises having a dedicated privacy practice to deal with this issue, it is often passed on to the Chief Information Security Officer (CISO). But with the rapid expansion of privacy regulations worldwide and the rapid move to multicloud strategies, Gartner recommends that enterprises start looking at a cloud legal risk mitigation program now.

Working out your risk profile

The first step is to educate on the type of risk and then quantify and qualify the risk associated with an enterprise’s data.

The next step to regulatory compliance is knowing exactly where your data is stored and what regulations need to be adhered to, together with audit information and the frequency of these checks.

It is also essential to map data assets. A clear and comprehensive catalog of your data assets and the internal confidentiality requirements of that data (including all data assets, such as R&D, company plans, strategies and trade secrets) are essential so that you can create a tiered approach based on business risk.

There are clear first steps to identify, quantify and qualify your legal risk to forcible data disclosure and then create practical mitigation strategies, which include technical and procedural steps. This exercise, which should be ongoing, also allows enterprises to evaluate any risks that could lead to hefty penalties and fines, as well as information being shared with state actors in undesirable ways.

These steps will enable an enterprise to build cloud risk management and a set of best practices to avoid compliance and operational issues.

Staying safe in a stricter regulatory environment

There is no escaping the fact that the regulatory environment will get even stricter in the foreseeable future, as the world becomes increasingly digital and people have greater concerns about their data privacy, and state actors have an increasing role to play.

Enterprises need to take proactive steps now to ensure their data is safe and regulatory compliant in the cloud. Those who don’t will face growing legal and financial penalties and reputational damage.

To learn more, download our brochure: Have you considered the legal issues accompanying cloud? For further information, read about the extensive Orange Business cloud services portfolio.

Nathaniel Suda
Nathaniel Suda

Nathaniel is the European cloud and data business consulting practice lead focused on business transformation, data analytics and cloud at Orange. He is a CEO/CIO digital transformation advisor and strategist with deep technical and organizational change experience including analytics, machine learning, data, cloud, and other digital technologies.