24 May 2017

As companies transit from a filing cabinet, paper and hard-copy heavy workflow to an online, automated and shared on-demand digital environment, transformation to a more agile enterprise comes with familiar and not-so-familiar compliance and regulatory considerations.

Digitisation and compliance

Traditional on-premise manual paper trails are being replaced by automated records and the building of business intelligence offsite introduces the conundrum that is governance, compliance, and the legal requirements surrounding security of storage and data privacy.

Omid Mahboubi, co-founder of the Middle East North Africa Cloud Alliance (MENACA), said data residency is one of the first considerations especially within highly regulated verticals such as the financial sector.

“Using shared/on-demand services probably means that data, or a subset of data, is leaving your country and is most probably stored and backed-up in multiple geographical locations,” he said.

The establishment of data ownership is critical and Mahboubi said this is primarily a function of an organisation-wide governance framework, which defines how to manage the relationship between the firm and third parties, such as cloud service providers.

Assets are becoming the new currency

That framework might include the creation of a digital roadmap, which matches data concerns with a technology that serves the core competencies of the business.

“Interoperability and portability of data should also be thoroughly understood before trusting a third-party with your data assets – assets that are increasingly becoming the new currency,” Mahboubi advised.

It may also be useful to conduct a compare-and-contrast compliance exercise, by analysing the biggest differences between compliance and regulation for a company operating in a traditional, non-digitised environment with one adopting cloud-based technologies.

Mahboubi explained that from a compliance perspective, by opting to use cloud services, a company is basically trusting a third party such as a cloud service provider with the handling of its datasets.

“Although some industries have stricter compliance guidelines like financial services and healthcare, it is conceivable for a company to leverage cloud-based technologies and begin its digital journey with minimal to no compliance and/or regulatory concerns.”

Of course this worry-free cloud adoption would be the result of reliable answers to questions including: What are the general and vertical-specific regulations applicable to our business? What data sets would be sensitive enough to fall under regulatory/compliance concerns? Which cloud products provide enough flexibility to be able to satisfy future regulations in the industry? What workloads are best candidates for our digitisation journey and at what stage? How do I assess the capabilities of available cloud service providers in my region?

Have a curious attitude to digitisation

Distil all those questions and overall, Mahboubi said, the biggest difference is in having a curious attitude towards taking advantage of digitisation, and “the willingness to evolve from a server-hugging manager into one who embraces agility, flexibility, faster time-to-market and so many other benefits cloud has to offer.”

From his industry association standpoint, the MENACA co-founder is witnessing the rapid pace of digital transformation with the emergence of more and more innovative cloud services and providers.

But while they are proving their agile credentials, is the associated compliance just as nimble? Can regulation keep up with the pace of innovation and is this an obstacle for business?

Mahboubi said regulation is always on the back foot.

“There is an inherent element of ‘almost-always-lagging-behind’ simply because of the speeds at which technology moves. However, as cloud becomes even more ubiquitous, I expect the dynamics to change in the not too distant future,” he noted.

“Although hard to conceive at this point in time, I believe that we will get to a point where ‘the community’ regulates itself. We can see sparkles of this in blockchain-based technologies where, for instance, Bitcoin is operating outside the traditional regulatory space, and I can envision a future where users, in an effortless fashion, protect their own privacy and data integrity and leverage technology almost as instantly as it is created.” 

Regulation must be a collaborative effort

Self-regulation may become the norm in time, but where can today’s architects of digital transformation find the relevant information. One hurdle to swift system implication is time spent on identifying who is the best qualified author of regulation.

Mahboubi is emphatic: “Governments are expected to be the source of such information. Not only that, progressive regulators collaborate (heavily) with industry associations, seek feedback from the community, design compliance frameworks that encourages cloud adoption, educate and certify the ecosystem, and make sure enforceability of such laws maintains a reasonable standard.”

Ultimately, responsibility lies with all players within the ecosystem, he added.

“Governments are beginning to realise their impact on the technology landscape in general and the cloud market in particular should be one that promotes, not restricts, cross-border data flows while at the same time protects the integrity of their citizens’ Personally Identifiable Information (PIIs).”

Telcos too are embracing their role as an “enabler” rather than just another cloud service provider, and CSPs are positioning themselves as not only IT technical experts, but also regulation-aware providers compliant with local and international laws.

However, Mahboubi worries that the pace of technological advances and lack of regulatory clarity will lead to confusion in the market and adversely affect adoption.  This lack of clarity is a universal hurdle from business to government.

The solutions, he argues, lie with the conduits such as associations acting as voices of the industry and facilitating constructive dialogue between all stakeholders. This will provide crucial feedback for future legislations, and suggest best practices to boost cloud delivery and consumption under existing laws and regulations.

“Having said all that, looking at it through the eyes of a cloud consumer, the buck stops with you,” he concludes.

© Oracle 2017