The Cloud Data Compliance Conundrum


Written by Willy Leichter

Business is booming – both for cloud providers, and for regulators. The benefits of the cloud are well known (productivity, agility, scalability, pay-as-you-go, etc.) but as you increasingly move your infrastructure into the cloud, regulations based on the location of your data become problematic.compliance1 Where is your data really located in the cloud?  Are you sure you’re complying with regional data privacy laws, when your cloud data is almost inevitably crossing national boundaries and being accessed from many jurisdictions?

More than a year ago, I created a simple map slide to illustrate the challenges of data residency with cloud-based data. The map showed datacenter locations for a few of our cloud partners – Salesforce, Box, Microsoft, and others – with major datacenters and backup sites around the world. Then I overlaid a few dozen examples of data privacy laws that might apply to your data, such as HIPAA, EU Directives, Australia Privacy amendment, Canadian privacy laws and more.

The map proved to be a good way to illustrate the challenges of contrasting privacy laws to the basic global nature of the internet. But here’s what surprised me – almost every time I showed this slide, audience members started scribbling notes, taking pictures, or asking me for copies. The slide was not intended as a research tool but clearly a lot of people are hungry for easily accessible information about a wide range of global data privacy laws.

Fast forward to today, and we have created an extensive resource summarizing global data privacy laws in 83 countries across 6 continents. Our goal is to bridge the gap between dense legalese and a lightweight list of laws. For each country we have summarized the relevant data protection laws, definitions of personal data, key security requirements, data transfer restrictions and breach notification requirements. We have also provided links national enforcement authorities and other expert legal resources.

Each country is ranked as having overall Strong, Medium, or Limited data protection requirements. While this is subjective, we’ve based our ranking on similar scoring models from multiple law firms, industry analysts, and publicly available data.

All of this information is available in a dynamic map on our Global Compliance Resource Center and as a downloadable 100+ page reference book. Our goal is to make it easy to compare laws across countries, dive into significant detail on each, and find links for source material and expert legal analysis.

This is a very dynamic topic, so we will be continually adding new countries, updating content as laws change, sharing expert opinions, and analyzing major trends – such as the upcoming EU Data Privacy Requirements. Please check out the site, try the map, download the book and give us your feedback.