The cloud is transforming the enterprise IT landscape—providing a platform for business innovation through greater agility and access to modern cloud-based technologies. It has also been the key driver behind the exponential growth in the amount of personal data organizations collect about their customers.
This data is routinely bought and sold, and being used to monitor every aspect of our lives—from our age, relationship status and career to our interests, lifestyle, and spending habits.
In the face of this explosion in data, regional, national, and international governmental institutions are responding by bringing in new data privacy regulatory laws, such as the General Data Protection Regulation (GDPR) and the forthcoming California Consumer Privacy Act (CCPA), to safeguard the privacy of their citizens.
These present new challenges to data privacy and compliance across the IT spectrum, but all the more so to organizations that host their applications in complex and dynamic cloud-based environments, which scale with demand.
This post will examine the implications of new data protection regulations for enterprises migrating their workloads to the cloud and see how the new NetApp® Cloud Compliance can help manage and monitor the sensitive private data that enterprises keep in the cloud.
Let’s begin by taking a quick look at the advantages cloud computing has to offer enterprises. While the cloud has become vastly more popular in recent years, there are still many companies that have yet to fully embrace what the cloud has to offer. These are the main points that make the cloud attractive, especially to large enterprises.
Data privacy, data protection, and compliance are very closely interrelated, so much so that many IT professionals use the terms interchangeably. But they're NOT one and the same. To properly explain data privacy, we also need to define data protection and compliance. That way, we can understand how they differ and how they complement one another.
Though there are a number of benefits that come with migrating operations and data to the cloud, that doesn’t mean that companies will be free from all headaches. Cloud challenges come in many different forms, some of which include data migration, data visibility, data access requests, and data security.
Large-scale enterprises, serving customers across the globe, have to comply with a variety of different national and regional privacy regulations, each with their own set of rules about data residency and data transfer.
If you're migrating your applications to the cloud, you should only process and store personal data in those cloud regions that meet your compliance requirements.
The GDPR, which came into force in 2018, has gone some way towards simplifying compliance across the European Economic Area (EEA)—by implementing a common set of data privacy standards across all member states.
But, elsewhere, you could find your preferred cloud vendor doesn't offer data centers that meet your data residency requirements. If so, it’s important that you figure out how you can ensure those requirements are met. One option is to look into NetApp® Cloud Volumes ONTAP, which supports all three main public cloud vendors. This technology can be a key part to adopting a hybrid cloud strategy, whereby you host some of your workloads in the cloud but maintain compliance by keeping sensitive personal data on-premises.
Storage has become more distributed than ever—not only in terms of where it's stored but also how it's stored.
You'll be using different cloud storage services for different types of data. For example, you'll likely use:
To maintain visibility into and control over all this data can be a significant undertaking. So you'll need to draw up a data inventory covering all your hybrid cloud environments. This will give you a clear and comprehensive picture of all the data you have.
Next determine which information should be classed as personal data. Ideally, you should look to adopt a privacy-by-default approach to all your personal data, treating all data subjects equally—regardless of where they reside in the world. This will make it simpler to comply with both existing and future data protection regulations. If you’ve already prepared your operation’s privacy stance for GDPR, you should have a head start towards meeting CCPA’s requirements as well—in most cases the European regulation is stricter.
In addition, as you migrate your applications, you should map the flow of data throughout your cloud. This will help you keep track of how personal data is being used and stay on the right side of privacy legislation.
New privacy laws are strengthening consumers’ rights to access, change, or delete their personal data.
Just as with your on-premises environment, good data inventory management will be essential to ensuring quick and efficient responses to their requests.
On one hand, the cloud could complicate the process of meeting such requests, as much of your data will be stored in unstructured formats for use in big data applications, such as business forecasting, social media analytics and fraud prevention.
On the other hand, the cloud can help simplify matters, as vendors offer low-cost object storage solutions for backup and archiving that allow you to finally do away with outmoded and cumbersome on-premises tape storage systems.
Migration to the cloud also calls for a new distributed approach to software design, where you break your applications down into smaller components known as microservices—each deployed to its own dedicated resource. This will give you more granular control over workload capacity requirements, helping to improve cost efficiency.
At the same time, it will also improve data security, as breaking up your applications this way will introduce additional layers of isolation that make it harder for attackers to penetrate infrastructure boundaries and gain access to your personal data.
Moving your applications to the cloud also means offloading responsibility for the physical security of your infrastructure to your cloud service provider.
But it's important to understand where your obligations lie for other aspects of privacy and security, maintaining strong data protection measures wherever they're still under your control.
As privacy laws evolve and mature across the world, you'll need to navigate your way through a multitude of new and increasingly more stringent regulatory requirements. These will prove particularly challenging in dynamic and complex cloud environments. So it’s important to invest in tools that give you the visibility and control you need over your cloud-based deployments. At the same time, as you migrate your workloads to the cloud, you'll be entrusting your personal data to a third party.
It will be key to do your research. Make sure your preferred cloud vendor provides an IT environment that's validated to the appropriate compliance frameworks. Make sure it provides the levels of data encryption your organization requires. And that it also offers data center locations in regions where you're permitted to store and process data.
You shouldn't treat compliance as just a chore. You should treat it as an opportunity. Because compliance not only provides you with a framework to help protect the privacy of your employees, suppliers and customers. It also opens up new business possibilities to companies that can demonstrate they meet the data protection requirements in many regulated industry sectors. Fortunately, NetApp has a whole new way for cloud storage users to do just that.
NetApp Cloud Compliance is the new data mapping and reporting tool for cloud data stored with Cloud Volumes ONTAP, Azure NetApp Files, and on Amazon S3 buckets. Cloud Compliance uses an intelligent AI-based technology to help companies with meeting CCPA and GDPR compliance by generating data subject access reports automatically and with accuracy, identifying potential privacy violations before they happen, and providing insight into where sensitive data is being stored.