The cloud and the law: legal considerations for cloud migration

Simon Edward • 8 July 2024

When migrating to the cloud, there are legal considerations to take into account. Discover more in our article.

When businesses migrate to the cloud, they tend to focus on two things: the cost of the process and how their system will look at the other end. But there's another crucial area that sometimes gets overlooked: the law.

Yes, when it comes to cloud migration, there are legal repercussions for poor security and non-compliance. Ignoring the law means putting your company's reputation – and budget – at risk.

Perhaps it's the relative novelty of the cloud that leads some companies to cut corners. For years, the cloud was a niche concern – but the COVID-19 pandemic sent adoption into the stratosphere.

There's a difference between speed and rushing, of course. But the mad scramble to migrate workloads to the cloud has, in some cases, led to companies neglecting compliance.

"Compliance, shmompliance", you might say (although it's admittedly a bit of a mouthful). However, you only have to imagine a similar scenario in the building sector to realise how cavalier this approach is.

Picture the scene: a construction team starts throwing up a block of flats. They haven't checked the relevant building regulations. It just wouldn't fly, would it?

Now, you might say that cloud migration isn't a matter of life and death. But it absolutely is a matter of reputation and budget.

Before we go any further, it's important to note that nothing in this article constitutes legal advice. It's up to you to be on top of legal considerations as you prepare to migrate to the cloud. This article is simply meant to flesh out some common considerations and help you ensure that your cloud migration is above board.

What is compliance, anyway?

Because of its technical nature, compliance can seem like rocket science. But while it can be initially tricky to implement, the concept is clear. Compliance is about demonstrating a robust security posture.

There are four key aspects to compliance: data transfer, data visibility, data security responsibility and data access.

Different regions have different privacy regulations. If you transfer data to a different region, you need to be sure you're abiding by the host region's rules. It's not so different from driving on the correct side of the road or registering your address when moving to a different company.

Data has to be visible to be secure – just ask any IT department that's battling with shadow IT. It's in nobody's interest to throw sensitive data in a box marked "confidential", never to be seen again. Your data needs to be visible as well as secure to meet compliance.

These things matter because of the "shared responsibility model" of cloud provision. If you're running workloads on a public cloud – whether solely or as part of a hybrid strategy – you share responsibility for compliance with the provider.

It's not unlike home insurance. If you leave your door unlocked and get robbed, you won't get a payout. With cloud computing, you need to take care of your workloads. You can't count on your provider to do that for you.

Finally, there's data access. It's not enough to stop outsiders from accessing your data. You need an internal data policy too – one that assigns access permissions to different members of staff.

To be compliant, you need to tick these four boxes. Exactly how the boxes look, however, will depend on where you are in the world.

Who makes the rules?

Compliance varies from place to place. In Ireland, the relevant legislation is the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

In Ireland, GDPR is overseen by the Data Protection Commission (DPC). This body calculates fines in the event of a data privacy breach.

A penalty notice from the DPC can be anywhere up to €20 million or four percent of the company's total worldwide turnover – whichever is bigger.

GDPR applies to any company that collects, processes or stores personal data – and that means any company, from the flower shop on the corner to a multinational franchise.

You run the risk of getting in trouble under GDPR when your company is insufficiently secure against external cybercriminals and internal threats.

This is partly a job for IT. But it's also a job for management when choosing a cloud provider. The provider you choose should be able to demonstrate robust security and compliance. If it can't, you're putting yourself at risk.

The importance of a security strategy

It's easy to think of the law as monolithic. But while upheavals are rare, the legal world is constantly tinkering. Being on top of compliance today doesn't mean you'll be compliant tomorrow.

This is why you need a security strategy rather than just a security policy. A security policy won't be reliable for long. It will need updating. A security strategy enables you to respond to these changes with flexibility and speed.

What to look for in a cloud provider

When migrating to the cloud, most businesses turn to the market leaders in cloud provision: Google, IBM, Microsoft and AWS. These are all trustworthy when it comes to compliance. But if you go with a lesser-known provider, you need to check and double-check that it's compliant.

Exactly what you're looking for will depend on where in the world you are. But wherever that may be, it's not an area in which you can cut corners. Non-compliance can spell disaster for your company, big or small.

While it's a problem that you can address internally, many companies find that external help from a cloud consultant can be invaluable. By leveraging outside expertise, you give yourself the best chance of keeping your reputation clean and your staff, customers and shareholders out of harm's way.

Are you looking for cloud migration consulting services? At Ascend Cloud Solutions, we can help you migrate your workloads with no compromise to security or compliance. Get in touch today for a free, no-obligation consultation.

< Older Post

Newer Post >