As digital transformation accelerates, and digital commerce increasingly becomes the dominant form of all commerce, regulators and governments around the world are recognizing the increased need for consumer protections and data protection measures. The European Union has been at the vanguard for some time (most recently having reached provisional agreement on the Digital Services Act) but from Australia to Brazil, from South Africa to California (the rest of the US hasn’t quite caught on yet!), from China to the UK, new data governance and protection rules are coming in on an almost daily basis. Given the global nature of commerce and the internet, many of these new rules will have broad impacts beyond the jurisdiction of the rule makers. Companies doing business with Europe need to be aware of their legal obligations—most notably the General Data Protection Regulation (GDPR)—even if they are based elsewhere. On top of that, sector-specific rules—in areas like healthcare and finance—are layering an incremental burden on businesses to make sure their data assets and processes are compliant.
There are many reasons to deploy a hybrid cloud architecture—not least cost, performance, reliability, security, and control of infrastructure. But increasingly at Cloudera, our clients are looking for a hybrid cloud architecture in order to manage compliance requirements. This is not just to implement specific governance rules—such as tagging, metadata management, access controls, or anonymization—but to prepare for the potential for rules to change in the future.
For example, the GDPR, which went into effect in 2018, set forth strict obligations for processing personal data and enhanced privacy rights for individuals. Like its predecessor, the GDPR maintained restrictions on transfers of personal data outside the EU and standards to handle exceptions for such cross-border transfers (for example, the EU-US Privacy Shield framework for personal data transfers to the US). When the Court of Justice of the European Union invalidated the Privacy Shield in its Schrems II ruling in 2020, however, businesses transferring personal data to the US in reliance on the framework had to implement new mechanisms to continue to transfer such data lawfully, namely, by executing standard contractual clauses between the parties engaged in the transfers. Moreover, Schrems II also required companies to set up new processes and procedures to safeguard data, such as conducting transfer impact assessments to ensure the privacy of data. Given the challenging regulatory environment, businesses processing personal data subject to the GDPR need to consider whether to store such data in a US public cloud or house it either in an EU public cloud, or behind the firewall of an EU company itself.
Designing an enterprise data architecture in anticipation of such regulatory changes is challenging. The dynamics in Europe could spur the US government to implement omnibus data protection legislation or enhance its rules for the data security and privacy of foreign individuals to secure a new version of the Privacy Shield with the Court of Justice of the European Union—like the Trans-Atlantic Data Privacy Framework, which would mean that the EU considers the US as “safe” for EU personal data. Moreover, the EU data protection regime has already inspired similar data protection laws worldwide, with some laws placing similar restrictions on international transfers of data. What all of this means, in effect, is that data protection regimes are still evolving, and may change further in the coming years. The question is whether the data architecture is agile enough to respond when those changes happen.
The promise of the hybrid data platform is that data assets can reside in a single platform, across multiple clouds. Each cloud—for example a US public cloud, an EU public cloud, a private cloud, or a dedicated on-prem healthcare industry cloud—can have its own governance rules around access, control, and data hygiene, complying with the rules of the business, the clients, and the industries that they serve. When the rules change, the governance can change; similarly, when the rules change, the jurisdiction and infrastructure can change too. This is a radical new approach to data architecture that goes beyond simple data meshing; it introduces a dynamism to the architectural layers that we have not seen before.
Taking advantage of the hybrid cloud and ensuring compliance is a conundrum that organizations are looking to solve. With each individual infrastructure offering its own architecture, framework, and impact in light of data security and privacy, ensuring compliance across all is not straightforward. One of the key characteristics of a hybrid data platform is cross-platform security and governance. Good, proactive governance not only uncovers business value but also helps demonstrate compliance. Governance must also work hand in hand with security to restrict who can access what data, or restrict where it is permitted to reside. Neither can be an afterthought in any one form factor, and even less so across multiple. Consistent security and governance across all clouds is the crux for hybrid cloud success and a fundamental requirement for the mobility of data and services.
Within Cloudera Data Platform (CDP), the Shared Data Experience (SDX) is the fundamental capability that provides data security and governance. Independent from compute and storage layers, SDX delivers an integrated set of security and governance technologies built on metadata and ensures consistency across hybrid clouds. With SDX, organizations have the insight they need into their data to make the right, informed decisions on how it can be used in a safe and compliant manner, and the ability to move data and analytics across the hybrid cloud to remain compliant should regulations change.
Find out more about how Cloudera helps organizations leverage the hybrid cloud for international data privacy compliance.