Many organisations in regulated industries including legal firms, FSIs and healthcare companies want the benefits of cloud computing but find regulatory compliance requirements so onerous that they’re stuck using less efficient on-premise systems. Understandably companies don’t want a knock on the door from the regulator, or risk damaging their reputation by not protecting sensitive data as they’re required to do.
However, increasingly companies that previous discounted cloud computing as not suitable for the regulatory landscape they operate in, are revisiting this option for the following reasons:
Demand from employees – employees want the tools that cloud computing offer, enabling them to be more productive and mobile. For example, when working remotely they want to be able to access IT systems and data in real time. When this option is not available, there is a risk that employees will take shortcuts that could compromise the company’s data, such as by downloading files or documents to their own device.
Competitive advantage – cloud computing can help companies become more agile, not only driving efficiencies and cost savings but also enabling companies to be more innovative. It’s a gateway to technology that can help deliver innovative new products and services, as well as making existing systems more effective and responsive.
Cloud vendors are aligning solutions with the regulatory landscape – some cloud vendors offer standardised solutions to high service standards, others specialise by offering tailored services to meet their customers’ compliance requirements, e.g. for mission critical workloads. It’s also important to remember that companies don’t have to take an ‘all or nothing’ approach to cloud migration, core systems don’t have to be in the cloud although many companies are now moving these as well as services and products.
Challenger startups – for regulated companies, big and small, new challengers offering online services are disrupting the market. These solutions including accountancy and bookkeeping, conveyancing, payment services etc., exist in the cloud and are registered with the appropriate regulatory bodies. Customer demand for services like these is putting pressure on traditional firms to innovate and offer similar online services.
Cloud computing: 3 tips for regulatory compliance
If your organisation wants to join other regulated companies and get the benefits of cloud computing, the following tips and best practices will help you stay on the right side of the regulator.
#1: Data classification
Regulations like GDPR require organisations to understand what types of data the organisation stores so that they can protect it compliantly. Identifying data types will enable the business to decide whether it’s appropriate to migrate some or all of it to the cloud, and if so, how to secure it. Carrying out a full audit of all your data before exploring specific cloud platforms will help you identify the type of solutions you need.
#2: Data location
CIOs and business leaders need to understand the regulations concerning where data is stored and processed. Most specifically when data must not leave a specific geography, such as the EU. Typically cloud providers will host data in multiple locations, in part for disaster recovery and business continuity, but also so they can be competitive. Some might not know exactly where data is stored if they use automated systems for load balancing. It is therefore imperative that you work with a cloud provider that is able to lock data to one location or region, depending on regulatory requirements.
#3: Data security
It is essential that you understand regulatory requirements for securing data, for example some regulations require client-based encryption when moving and storing data. Then explore cloud providers’ attitudes to security. What are their strategies for user identity and access management, data protection and incident response? Consider too what safeguards are in place to prevent data compromise on shared servers: public cloud providers use ‘multi-tenancy’ to keep costs down and optimise server workloads, servers are shared with different businesses.
Ultimately it is not the cloud providers responsibility to ensure your business is compliant, but yours. However, many providers want your business and will work with you to ensure you get a solution that enables the business to get the benefits of cloud computing without falling foul of regulatory compliance.
Find out how we helped a solicitors firm with multiple offices across the South East, migrate to cloud platforms by reading this case study.