Cloud Strategy: legal impacts across the organization

Here is part three of our series covering the key issues to consider before adopting cloud technologies. This article focuses specifically on legal impacts on your organization.

“Location, location, location”. We’re more accustomed to hearing this in the context of the housing market. However, where your company’s headquarters reside, where your company does business and where its subsidiaries are located directly impact how you need to manage sensitive information, such as strategic projects, HR/personnel information, etc.; essentially, IT needs to account for data sovereignty laws and regulations.

Various countries have already voted or are moving towards voting on more restrictive data sovereignty legislations that will control the transit of information out of border. For example, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) already governs how IT organisations can collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. Essentially, all personally identifiable information must stay in country, at rest and in transit, meaning that using a cloud provider in the US or any other country with said data could expose the company – and you – to a lawsuit, unless the cloud provider can guarantee no aforementioned data ever leaves the country at any time, including for redundancy/DR purposes.

While the previous Act covered what must be protected, the American law (the USA Freedom Act, and its previous incarnation, the Patriot Act) enables the US government to access any and all data residing on its soil, without owner’s authorization, need for warrant and without even the need to notice the owner before or after the fact. The few data privacy provisions in the bill apply to American citizens and entities only. This means all data housed in the US are at risk, especially if said data is owned by an organisation whose headquarters are out of country.

If in Europe, laws vary from country to country, we find that the regulations on data protection are becoming more stringent, requiring the establishment of procedures and controls to protect personal data and obtaining the explicit authorization of persons to collect and use their information. All this imposes guidelines to the use of the cloud within the country or outside their borders.

Typically, data sovereignty should be a concern for most organisations when looking at cloud and, as the current trend is for countries to vote in more stringent laws, any and all cloud strategy should account for local, national and international regulations.

Benoit Quintin – Director Cloud Services – ESI Technologies