Data protection, privacy, and transfer regulations are a growing challenge to anyone who is the senior responsible owner (SRO) of an organisation's data. This is why some IT strategists feel uncomfortable stepping into the unknown with a cloud migration strategy.
With Europe's General Data Protection Regulation (GDPR) in play in the UK under the terms of the Data Protection Act 2018, the financial impact of a breach can be serious, as can the knock-on effects on customer relationships and trust.
Grounded by hackers
In July 2019, for example, the Information Commissioner's Office (ICO) announced its intention to level a £183 million fine against British Airways - representing four percent of the company's turnover - for a criminal breach of its systems that took place in Summer 2018. The attack, in which traffic was redirected to a fraudulent site, compromised the data of 500,000 customers.
As a result, the ICO chose to make an example of BA by announcing the biggest fine available under the new legislation. Even if such fines are ultimately not levied in full, the negative media coverage about any ruling can be devastating to revenues and share prices.
As the adage goes, reputations that have been built over decades can be lost overnight in the digital world, not least because the social platforms that companies use to spread their messages can also be used by customers to comment on how well firms measure up to their own brand values.
Back to basics
But is GDPR all about rapping the knuckles of errant companies or levying swingeing fines? Not at all, according to the ICO; sometimes the need for compliance has a much simpler impact: making leaders understand the data landscape in which they have been operating for years.
Speaking at a GDPR policy conference in London in January 2019, Jonathan Bamford, the ICO's Director of Strategic Policy, explained that GDPR and the updated Data Protection Act have had one little-acknowledged benefit: forcing organisations to get to grips with the basics of compliance for the first time, despite clear obligations under the 1998 Act that all should have been aware of.
Bamford told delegates from government, technology, and business, "A lot of the work we've had to do in terms of advice and complaints-handling has been on what I regard as core data protection issues. Not new things that have cropped up under GDPR, but data protection basics that organisations should have been on top of for a long, long time.
"A lot of our effort hasn't been on the minutiae of changes under GDPR or the Data Protection Act 2018, it's been on core issues like subject access. A lot of the enquiries we've received have been about these data protection basics."
By January 2019 - eight months after GDPR had come into force in British law - there had been a 93 percent year-on-year surge in compliance enquiries to the ICO, and a 94 percent rise in complaints about data breaches. Most were about core privacy and protection issues, said Bamford, and roughly one-third of such complaints are typically upheld.
Compliance, therefore, is always on the minds of nervous IT leaders. And in some industries - such as Financial Services - the regulatory burden is expanding far beyond GDPR. In many such cases, organisations are left to interpret regulators' reporting requirements in their own (often inconsistent) ways.
Meanwhile, programmes that are intended to digitise or automate reporting within those sectors have proved to be surprisingly complex and difficult, due to the need to standardise data formats across fiercely competitive industries. This leaves many companies a hostage to the fortunes of their service providers and/or their own internal IT teams.
The cloud question
So how big a factor is compliance when migrating business functions to the cloud - especially given that most organisations also hold reams of data about their employees and internal processes?
According to a Computing Research survey of 150 IT leaders across medium to large enterprises, compliance issues are one of the biggest ‘fear factors' preventing some organisations from shifting functions into the cloud. Just under 40 percent of respondents cited compliance as a concern, behind the related issues of security (cited by over 42 percent) and migration complexity (by 41 percent).
However, only 28 percent of respondents that have either moved applications to the cloud or are actively doing so, said that such fears had proved to be founded - significantly behind other factors, such as migration complexity, legacy systems, security, cost, lack of internal skills, and integration challenges.
Indeed, two-thirds of respondents cited improved compliance as being either a major or important motive for moving functions to the cloud in the first place.
Their faith in cloud-based systems was mostly repaid, suggested the survey: 71 percent of IT leaders who have moved functions to the cloud said that, overall, improved compliance had been achieved either extremely successfully (27 percent) or very successfully (44 percent). A further 20 percent said that it had been achieved adequately - a combined total of 91 percent satisfaction.
With 83 percent of respondents also citing the security of cloud services as important or very important, and 75 percent attracted by the availability of a single data set, it seems that the reality of compliance in the cloud often outshines the doom-mongers.
But one thing is also clear: it doesn't absolve SROs of responsibility for good management of their data, or getting to grips with the detail of critical regulations.