Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Global Privacy Regulations


This is the second blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed “The Need for Compliance.” In this installment, we will be discussing the topic: "Global Privacy Regulations."

 If you are paying attention to the news over the past few months, you probably heard something about the Safe Harbor and/or Privacy Shield regulations. You may have even heard a whole series of letters (GDPR) associated with it, but decided to change the channel and catch up on the latest Olympic or election coveragComplianceInTheCloudSeries.jpge.  The bad news: these regulations are pretty important, and you missed something that you probably need to be more informed about. The good news: this blog should help get you up to speed with some of the basics on these important topics.

Safe Harbor: To address the significant differences regarding how privacy considerations are addressed by the United States and the European Union, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework to address some of these differences.  The Safe Harbor agreement was created to address the European Commission’s Directive on Data Protection in October of 1998, and prohibited the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.

Privacy Shield: In October 2015, the European Court of Justice was asked to rule on the adequacy of the Safe Harbor privacy regulations, which were originally accepted by the European Commission in July 2000. After some legal review by various European courts, the European Court of Justice invalidated the Safe Harbor agreement, requiring the European Commission to revisit the regulations between the EU and the United States. In February 2016, the EU and the US had reached an agreement (called the Privacy Shield) to address the concerns that invalidated Safe Harbor. On July 8th, representatives of the 28 EU member nations approved the final version of the Privacy Shield agreement, and was formally adopted and put into full effect on July 12th.

General Data Protection Regulation (GDPR): While all of this was going on, the European Commission was also looking for ways to strengthen privacy regulations within the European Union.  The General Data Protection Regulation (GDPR) was created to enhance and unify data privacy considerations for citizens of EU member countries, as well as protection of data outside of the EU.  The regulation was adopted in April 2016, and will be phased into enforcement over two years, being in full effect in May 2018.

As you can tell, this is a rapidly changing story. Already, some data privacy advocates have questioned the strength of the new Privacy Shield agreement, and have vowed to challenge the agreement in the courts.  They have specific concerns about how data is stored and used by social media and search companies doing business in the EU.

Companies are advised to be aware of the changing landscape of these regulations. As the regulations move through the courts and litigation processes, they will undoubtedly change, and change again. Any company trying to comply with these regulations may find themselves having to pivot from one compliance direction to another.

That said, the basics of the regulations are not likely to change significantly, and it makes sense to prepare for those changes. Completing a data inventory and having a basic understanding how your company was affected by the previous Safe Harbor as well as the current Privacy Shield regulations is a very good start. While the final outcome of these regulations is not certain, without question the final version will embody many (if not most) of the Safe Harbor / Privacy Shield / GDPR controls and considerations. 

For the next blog in this series, we will discuss the compliance topic: "End User Security.” To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

June 19 - 21
Las Vegas, NV
HPE Discover 2018 Las Vegas
Learn about all things Discover 2018 in Las Vegas, Nevada, June 19 - 21, 2018.
Read more
See posts for dates
See posts for locations
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
View all