Few days ago, IBM sent out a press release announcing that the company had patented the design for a “data privacy engine” that can protect personal data more efficiently and affordably as it is transferred between countries, in compliance with both organizational policies and local laws.
This announcement turns the spotlight on a challenge that multi-national organizations in particular are facing today: regulation sprawl. In the face of an increasing number of regulations, covering a broad variety of topics such as privacy, export regulations, anti-money laundering, and many others; staying compliant is not always easy.
While there are a number of common concepts in regulations, such as traceability, regulations both within a country and across different countries are often in conflict. The aspect IBM is focusing on provides good examples of this conflict. Some data that would be considered as personal data needing protection in Germany may not be classified this way in Mexico and vice versa. In another example; some years ago, Deutsche Bahn (the German state-owned railway) violated data protection regulations during an anti-fraud initiative. According to one set of regulations, they were required to act against fraud; however, when analyzing the flow of fraudulent payments they violated the data protection law.
While many organizations have established a governance organization that analyzes the range of regulations applying across all the various countries in which they operate, we still frequently observe another approach that might be described as “the art of ignorance”. This is especially true when it comes to cloud computing. Both cloud service providers and cloud customers seem to exercise that art.
There are still many cloud service providers, which do not have sufficient insight in local laws such as the data protection laws across the various EU countries. Thus, there is massive variation in the answers given to common questions such as: support for standard contracts that are in accordance with EU regulations and local law for personal data, and the location and operation of data centers. This is sometimes hard to understand because, obviously the better the answers, the more business these cloud service providers will obtain.
The same holds true for some (potential) consumers of cloud services. Some just avoid moving to the cloud due to the uncertainty they feel; while others just do it anyway despite the uncertainty hoping that the rewards will be worth it. However, to properly balance risk against reward, you need to understand the risks, both from a compliance perspective and from a technical and organizational perspective. (This could be understood as being part of governance anyway, for example, an organization might want to align with ISO 2700x and other standards). It is better to make the effort to understand the risks instead of just ignoring them or, on the other hand, to miss the opportunities cloud services offer just because of the uncertainty.
There is a famous quotation from a work by the English poet Thomas Gary “where ignorance is bliss, 'tis folly to be wise”. This was a reflection on the time during his youth, when he was allowed to be ignorant and content. However, organizations cannot afford the contented ignorance of youth. Ignorance is no excuse in the law and ignorance does not help to make good decisions balancing risk with reward. Organizations need knowledge to understand their obligations in order to understand the costs of compliance across all of their operations and markets. They need to understand the potential conflicts in order to plot a safe course through compliance with multiple regulations. Only through knowledge is it possible to manage risk and truly ensure that the rewards really balance the risks. In this case, ignorance is not bliss.
This article has originally appeared in the KuppingerCole Analysts' View newsletter.