To maintain good governance and compliance you really need to look at the steps that were taken to get the data into the different cloud environments in the first place. I say this because being able to comply to either industry vertical regulation, or data privacy regulations that span any organisation that collects or processes information on individuals you really need to understand WHAT that data is and what it contains before it is migrated or ported to a cloud provider.
But many times, data is migrated without applying basic governance principles which would allow the organisation to show accountability and responsibility to requests from regulators. This can set up a potential 'data time bomb' where pockets of non-compliant data sit dormant or are moved between cloud providers without understanding their risk to the business.
In the case of the upcoming European Union General Data Protection Regulation (GDPR) it is all about understanding what personal information (or personally identifiable information - PII in the US) an organisation collects and processes on an EU resident, and whether they have agreed consent to do that.
Having visibility and insight into that data becomes critical - no matter where it resides. Understanding if files, documents and other forms of unstructured data contain personal information will help with classification, which in turn allows a more compliant retention and policy approach to be taken.
Tools that can provide this visibility and analysis, at scale and with rapid reporting really can help bridge the gaps when data is fragmented across heterogeneous environments.
Lots of great advice here.
When I am talking to customers, I sometimes pick up comments like, “My cloud provider is taking care of regulatory compliance of my business data. I don’t have to worry about it.” Is this false confidence?
I wonder what the role of the cloud service providers is when it comes down to regulatory compliance and for example GDPR of the data that their customers store in their cloud? They tend to take the role of the “Data Processor.” Does this exclude them from any responsibilities on the matter?
Thanks for the post, David!