The volume of rules that organisations must adhere to for data regulation purposes is ever increasing and becoming more complex; there are multiple laws within each country, the EU and internationally. This ‘layer cake’ of rules brings huge complexity and businesses are left confused.

There is uncertainty relating to the status of the proposed EU Data Protection Regulation, which was due to update data protection regulations and harmonise them across the EU, hence there is still no clear guidance from the European Commission. This has left countries within the EU to implement the rules as they see fit. The volume of regulations and lack of clarity is creating a barrier to moving to the cloud, but this need not be the case.

Our experience with Cloud Services customers is that, by looking at each layer of the complex ‘cake’ separately and taking the following steps, the overall task is made simpler and less daunting and so enables businesses to use cloud:

1. The first step is to determine which cloud model - public, private or hybrid - is most suited to your business. Naturally you are looking for a cloud which is highly appropriate for your business but there’s no such thing as a “one-size fits all” contract or a “standard cloud”.

2. It is important to decide early on which aspects of the business will move to the cloud, which countries you are going to do business in and where your data is going to be located - all of this will affect which regulations you need to comply with.

3. The next stage is to examine the industry sector regulations that are relevant to your business. This will help narrow down which rules to address first. For example, there are strict regulations specific to patient data in healthcare and specific guidelines for storing customers’ credit card details in the retail sector - these requirements must be addressed from the outset.

4. Having met the sector specific guidelines, you can move up the layer cake and address country requirements - for example certain types of data in Germany have to be stored in German-based data centres. You will need to look at the main country you operate in, as well as other countries you do business in, since each country has its own laws. And be aware when choosing a vendor that very few have data centres located in every EU country, so the first thing you will need to do is get clarity regarding where the data will be stored and whether it will move outside the EU. If the data will transfer outside the EU, you will need to establish that the necessary safeguards for the data transfer are in place.

5. You’re then ready to move up another layer and ensure you are compliant with the European Union requirements which have some of the most stringent data regulation standards in the world. Compliance here is the gold standard for data protection and will very likely mean you are globally compliant, therefore satisfying the final layer of the process.

By following a systematic, objective process like this, you’ll hopefully find the volume of regulations to comply with significantly less daunting. You will be able to make informed decisions about risk when moving to cloud models and, for businesses, you can create a governance footprint.