This piece was co-written by Marcello Burgio, Vice President of Global Infrastructure and Jim McInnes, Senior Vice President and Managing Director of Europe at Velocity.

The revelations about the U.S. National Security Agency’s data monitoring put a spotlight on one of the principle hurdles for companies seeking to go global with cloud computing implementation: compliance with data privacy laws in multiple geographies. The reason is that data privacy laws, especially those governing highly regulated industries like healthcare and banking, vary widely from country to country, and an international corporation must take them into account when implementing the cloud across borders. It isn’t a simple endeavor.  In fact, one of the most difficult questions for multinational organizations to answer is: How can you effectively leverage and utilize the data of your organization if by law you cannot transport that information out of one or more of the countries in which you operate? 

A “global thinking” CIO’s goal for using the cloud is to provide his organization with secured environments for data that will successfully improve business operations in a safe, functionally dynamic and compliant manner. While technology – specifically the cloud – gives businesses the power to achieve a cloud that crosses borders, the reality is that in many cases the varied laws that must be complied with around the world can seemingly handcuff a business’s ability to take full advantage of the cloud’s innovative offering.   

So how should companies address the cloud in order to build a strong global delivery model? Here are some places to start:

Recognize that the architecture of your cloud environment is key. It’s not unusual for companies to have several data repository channels – whether through different hosting providers or within different geographic locations. To be successful, the CIO must be able to determine, define and design a strong and secure architectural model of how data will be managed, considering that when it comes to data, one size does not fit all. In other words, the type of data (e.g., business records vs. central government data vs. personally identifiable data) is an important factor on what can be done and where. One important success strategy for a CIO operating within a broad region such as the European Union is to house the data within a particular country and determine the “compute capabilities” that are permitted by directive or regulation to be taken outside of country but remain within the region. In North America, current regulations are looser. 

Understand the respective data storage regulations in the countries you operate in.  Recent data security and privacy conversations brought on by the Snowden/NSA issue have amplified the concerns around information storage. As a result, a number of central governmental bodies are contemplating changes that would require data processed in the countries to only be stored in clouds from which their country’s data protection laws apply.  This could add a tremendous amount of complexity to an already difficult, and at times confusing, set of regulations. At Velocity, we’re cloud and application experts and not legal counselors. In a global implementation, it’s critical for a customer to integrate corporate legal counsel with the appropriate country expertise early in the process in order to properly navigate the regulatory terrain and set up the appropriate internal compliance mechanisms. Our role as a Cloud Services provider is to deliver a managed repository for your IT environments that safely houses your data, and to provide the requisite service level -- whether that involves Managed Application Services, Platform-as-a-Service, Infrastructure-as-a-Service, Managed Disaster Recovery or related project services -- as well as access to tools that provide visibility into the cloud and enable you to drill down to the level of information you require.

As a global cloud provider, we find that the best architected solutions are those that provide scaled compute power where possible, while maintaining the ability to tailor to specific data or legislative requirements at the application level.  Not all clouds are built or should be built the same.