Laws governing data privacy are changing quickly. Concerns over spying, corporate espionage, and employee protection all have inspired complicated and evolving regulations with which organizations must comply. This is challenging enough for small companies working in a single location. But for global enterprises doing business around the world, it’s almost impossible to identify, understand, and comply with this tangled web of regulations. So how do they do it? Here’s one company that succeeded admirably.
For one global company, this is a very real challenge. Amer Sports, a Finnish holding corporation, is a sporting goods company with internationally-recognized brands such as Salomon, Wilson, Atomic, Arc’teryx, Mavic, Suunto, and Precor. The company has 7,600 employees in 150 locations on nearly every continent. Because Amer Sports does business in so many different countries, it must manage its data in each location in a way that is compliant with local regulations. According to Alexander Lohr, IT security consultant at Amer Sports, “The data privacy challenges are completely different between the U.S. and within Europe; plus there are different laws within Asia. Overall, it continues to grow gray very quickly.”
In theory, it might seem straightforward for an organization to set up a data management plan that aligns with privacy regulations. You just pick the strictest standards and implement in accordance with those, right? Except the reality is that doing so has real implications on the resources you need. Some countries, such as Germany, have laws requiring data remain within certain boundaries. For a company like Amer Sports, with offices in in many of these countries, this “just pick the strictest standards” plan invites real complications in terms of cost. They can’t just set up a single storage node in the area with the strictest laws.
In other words, complying with the privacy laws in one region may put the company in direct conflict with the laws in another. When this translates into implementation of any IT system, complying with data privacy laws is not just confusing; it’s expensive.
For a company that is required to follow such a breadth of regulations, the IT team realized that Amer Sports would have to look at setting up separate IT infrastructure at points across the globe. They saw that the company needed separate storage so that data doesn’t cross regional boundaries, separate IT administrators to comply with local laws in some countries, and in some instances, separate installation of solutions in order to manage details at such a finite level.
So how does the cloud fit into this? At first glance, the cloud might seem counter-intuitive to addressing regional compliance, since one of the oft-cited reasons organizations are reluctant to move to the cloud is the loss of control. So what makes the cloud such a suitable solution, when what it requires is more control, not less?
But when done right, the cloud isn’t one size fits all. It’s elastic, it’s configurable, and it avails itself of the sort of adaptation global enterprises today need. Let’s look at a couple of examples.
Some countries, such as Germany, have to meet a legal burden that mandates data not leave the country. Countries operating in Germany must have IT infrastructure in the country to hold this data, with an obvious increase in expenses. By leveraging a cloud provider with a region within national boundaries (such as Amazon Web Services (AWS)), the organization can store its data in a way that meets privacy regulations.
Besides the cost savings, the cloud adoption also provides data resiliency — something Amer Sports wouldn’t have with an on-premise solution, unless it had access to multiple datacenters. Plus, global enterprises often have to comply with more than one country’s residency requirements. This would mean standing up multiple, globally dispersed storage nodes. Using the cloud instead allowed the organization to take advantage of existing storage regions, avoiding the cost and hassle of building and maintaining its own datacenter locations.
Navigating privacy laws is a complicated business, even once you iron out issues concerning where to keep the data. An organization has to consider things like the need to shield employee data within the organization, residency requirements that mean only citizens of certain countries can access data, and the need to provide data and prove its integrity when required for compliance reasons.
This requires a system that is inherently flexible and that can be completely managed from any location — or locked down to limit who can have access. The cloud not only removes the burden of infrastructure maintenance; it can also simplify administration.
The laws governing data privacy are changing quickly, forcing global companies to become agile and responsive — two characteristics not always evident in large organizations. To learn more about how one company did just this, read the Amer Sports case study.