As vendors become custodians of an ever-growing pile of sensitive customer data, jurisdictions have recognised the need to effectively protect that data. The EU was an early mover on this front with the adoption of the GDPR regulation in 2016 and the subsequent enactment of the law in 2018.

GDPR is no longer the only game in town, however. Individual countries, from Japan to South Africa, are developing their own data protection and privacy laws.

To confidently comply with this growing wave of regulations, organisations need to ensure that their cloud services provider both stores and processes data in the jurisdiction that it is created. To this end, a flexible, distributed, security-first cloud architecture becomes a fundamental requirement for organisations, as anything less will greatly limit their operational flexibility.

Global compliance requires a global cloud

Simply put, the days of one centralised cloud are over in a world where the EU might have different data protection requirements than the UK, which in turn has different requirements from Korea or Brazil.

It’s not just that the regulations in these countries demand stringent protection. If that were the only concern, your typical legal organisation could address most of their compliance headaches simply by taking a Euro-centric stance and utilising a European datacenter for their data. The thinking behind that approach is that if you can address stringent European requirements, you can probably address any other country’s protection and privacy requirements at the same time.

Unfortunately, the challenge is more involved than just protecting data and maintaining strict security standards. Many of these new privacy laws require that data be kept in the region. In other words, in order to be fully compliant, data must remain within a specific jurisdiction – unless the user requests it.

Compliance with this requirement goes out the window, however, if a law firm stores data in the required country, but then processes that data – by running OCR, indexing or other services – in another country. True compliance means that data is 100% stored and processed in a region, which is precisely why a distributed cloud architecture is necessary.

It’s not practical for individual organisations to build and maintain this architecture themselves: They don’t have the time or money to invest in infrastructure in multiple places around the globe every time a new country announces their own privacy regulation. Partnering with a vendor who uses a cloud with the broadest available global footprint becomes essential in being able to nimbly respond to laws that emerge in any corner of the world.

Don’t forget security and performance

A flexible, distributed cloud architecture is just one piece of the equation. The more distributed a cloud architecture is, the greater the potential surface area for a bad actor to try to penetrate its defences. So, not only do legal organisations need a distributed cloud architecture, but they also need one that’s really taking security best practises into consideration.

Foundational to this security-first approach is a cloud that has applied Zero Trust architecture principles and one that relies on Zero Touch management and administration as much as possible. A Zero Touch approach largely removes human vulnerabilities by automating processes around the cloud, from routine administration to advanced troubleshooting.

This automation is important because if you’re relying on humans to ensure that everything in all your various cloud instances is set up and configured properly, inevitably you’re going to miss something. An act as simple as someone forgetting to tick the box for a particular security setting or performing some other misconfiguration error can have serious consequences: According to the 2021 Verizon Data Breach Incident Report, 85% of breaches involved a human element.

As important as security is to a distributed cloud that helps organisations meet their compliance requirements, so too is performance. You can’t simultaneously keep data “in region” around the world, and then also have optimal performance accessing that data unless you have a modern cloud architecture which has specifically been architected to provide expected performance levels while still maintaining all data residency restrictions. End user performance shouldn’t have to suffer in the name of compliance.

It’s not getting any easier

The ability to maintain compliance with data residency requirements is a challenge that is gaining more and more steam as an increasing number of countries come up with their own data privacy laws.

In this evolving compliance landscape, legal organisations need a modern, flexible, distributed cloud architecture – one that doesn’t sacrifice any aspect of security or performance – to fully rise to the occasion and ensure data is being managed and governed appropriately. Without it, they risk being overwhelmed by the growing complexities around global compliance challenges.

---

Mark Richman, principal product manager, Cloud Platform, iManage