| | October 20148CIOReviewopinionin myMaxiMizing the benefits of the cloud in highly regulated industriesBy Neal M. Suggs, VP & Associate General Counsel, Worldwide Sales Group, Commercial Business, Legal & Corporate Affairs, Microsoft Corp. Many organizations in highly regulated industries approach Cloud Computing with a degree of trepidation, and some fear that regulators are actively discouraging Cloud Computing. Ensuring that a move to the cloud will meet regulatory requirements is serious business that can result in significant consequences with financial, legal and reputational implications. For these organizations, the benefits of the cloud are within reach, just as they are to smaller organizations operating in less restrictive environments, but success requires planning and preparing for compliance requirements earlier in the process of selecting a cloud provider. Identifying cloud needs ahead of time, selecting and working with a cloud services provider with expertise working with customers in a specific industry and with regulators are crucial. That expertise will enable an organization to evaluate and identify the appropriate workloads (email, content creation and storage, collaboration) that can move successfully to the cloud, while also ensuring that along the way, the right regulatory issues are considered and addressed for the present and the future.All Workloads Aren't Regulated EquallyBefore a decision is made on a cloud service, and well before requesting a regulatory analysis from your legal team, organizations should identify the workloads and scenarios they want to move to the cloud. Key questions to consider include whether the organization serves businesses or consumers. Will it feature a consumer-facing website that collects Personally Identifiable Information (PII) or will it transact business? Does the organization work with classified or highly confidential data? Will it handle data for minors? It is essential to consider these questions before engaging a legal team to conduct regulatory analysis, and it will help in making a clearer and more compelling case if and when seeking regulatory approval. Armed with this information, a legal team is better equipped to investigate which regulations apply and what must be done in order to meet compliance requirements.Some Rules Apply Across IndustriesA number of existing regulatory requirements apply horizontally across a range of industries. Will a system have access to personal health information for U.S. residents? Then Health Information Portability and Accountability Act (HIPAA) requirements must be met. Does the organization operate in Europe now, or will it in the future? European operations that require the movement of personal data outside of the European Union (EU) raise concerns about the EU Model Clauses. If the organization is a state or local government entity, does it rely on access to the Criminal Justice Information Service (CJIS) Neal M. Suggs
< Page 7 | Page 9 >