Legal & compliance must be part of your project team from the get go.

You need to understand that a (partial) migration to the cloud will often completely disrupt your existing security and governance strategy. Governance methods that worked for traditional on-premises systems probably won’t work for the cloud. As organisations move data to the public cloud, their control decreases, and more responsibility falls on the cloud provider. However, your organisation is still responsible for your data, as you are a data controller. You must therefore shape your security and governance strategies as well as your privacy compliance programme to rely less on internal security, monitoring and control, and more on your cloud provider’s offerings.

Since security is never 100 percent perfect, it’s important for you to plan ahead for potential breaches, failover and disaster recovery. And of course, these additional security tools and services will increase overall project and operational costs. New or enhanced compliance policies call for communication and training to ensure a successful transformation.

I will discuss security in more detail in an upcoming article.

You need to be aware of the wide range of specific laws and regulations that might be applicable to your organisation operating internationally. In addition to the Swiss Federal Act on Data Protection, this might also include rules such as professional secrecy and confidentiality requirements or the EU’s General Data Protection Regulation (GDPR). These provisions might stipulate that specific confidential information, but also sensitive data, may not leave the physical boundaries of the country or region (residency), and that the information must not be exposed to unauthorised parties (privacy).

Depending on the operational set-up of your organisation and the preferred service provider, you might need to consider additional laws that may challenge your transformation project, such as:

• The United Kingdom Data Protection Law
• Russian Data Privacy Law
• California Consumer Privacy Act (CCPA)
• Clarifying Lawful Overseas Use of Data Act (CLOUD Act)
• The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

As already mentioned, GDPR is an important piece of data privacy legislation that includes provisions on how, why and where data on individuals in the EU is processed, and requires organisations to have an overview and control over their data – not only to comply with the transparency and accountability obligations. In the ‘Schrems II’ ruling, the European Court of Justice (ECJ) declared the so-called EU-US Privacy Shield invalid. The Privacy Shield provided a framework for companies to transfer personal data between the EU and the US that are compliant with applicable privacy provisions. Data privacy professionals expect to see additional data privacy legislation and restrictions appear across Europe (but also Switzerland) based on this ruling.

Besides these data protection provisions, there are also industry-specific compliance requirements that may affect your project. Examples of such requirements include:

• Swiss Banking Secrecy and Professional Secrecy (e.g. for lawyers, auditors and doctors)
• The Health Information Portability and Accountability Act (HIPAA)
• The Health Information Technology for Economic and Clinical Health (HITECH) Act
• The Payment Card Industry Data Security Standards (PCI DSS)

And then there are third-party obligations: Agreements must be concluded with business partners in which clear instructions are given on how, where and why a party such as a contractor or vendor will process personal or confidential data belonging to your organisation. Such agreements often hold your external party accountable for securing the data in the same way as the controller of the data, including adherence to all residency, privacy and compliance requirements. For example, a contracted agency performing work for a bank in Switzerland must observe all the data protection requirements mandated by Swiss Banking Secrecy and FINMA.

As soon as you have an overview of all laws and regulations that apply to you, it’s time to really understand the technology you plan to use, and how one translates into the other. The use of external providers, or a hybrid of internal and external services, can lead to additional business, technical, project and operational risks. Reputation and data or security breaches at providers will impact you more than ever. More complex cloud set-ups like multi-geo and the use of data regions need to be understood in detail for each cloud service you intend to use. Where is your data at rest, where does your data go on transit? Functionalities like Lockbox and encryption options like Bring Your Own Key and Manage Your Own Key need to be understood in detail. Who can see what? Does your supplier work with third parties? What can they see and do? Who and where is your super admin?

Sensationalised stories about data loss in the cloud, risk of unlawful data access by foreign authorities and publicised security breaches can make it difficult to gain trust and support for the transformation to cloud systems, especially public clouds. You as a project team will spend a lot of time allaying fears, proving the solution and generally providing answers to stakeholder questions.

And this you can only do when you all have the same understanding, speak the same language, agree on the way forward and work together as a team right from the beginning.