School of Business publications portal
This portal is no longer updated. Aalto University School of Business Master's Theses are now in the Aaltodoc publication archive (Aalto University institutional repository)
School of Business | Department of Information and Service Economy | Information Systems Science | 2013
Thesis number: 13392
Regulatory GRC in the cloud - An explorative comparison of the legal challenges in the European Union and the United States
Author: Rekola, Krista
Title: Regulatory GRC in the cloud - An explorative comparison of the legal challenges in the European Union and the United States
Year: 2013  Language: eng
Department: Department of Information and Service Economy
Academic subject: Information Systems Science
Index terms: tietotekniikka; information technology; palvelut; service; riski; risk; riskienhallinta; risk management; tietosuoja; data security; lainsäädäntö; legislation; yksityisyys; privacy
Pages: 136
Key terms: cloud computing; data protection; privacy; security; legislation; standard contracts; governance; compliance; risk management; GRC; B2B transactions
Objectives of the study

The increasingly prevalent use of cloud services, combined with mounting regulatory pressure driven by recent privacy and security incidents, has indicated the need for a better understanding of the legal challenges in the cloud environment. Although technical and business risks have both been documented by academia, few studies have comprehensively considered the legal dimensions. We aim to provide a broad overview of the legal framework surrounding cloud computing as well as the gaps therein. We also propose a framework for structuring regulatory governance, risk management, and compliance in the cloud environment.

Academic background and methodology

The main legal challenges in the cloud environment boil down to questions of obscure jurisdiction, control over data ownership, privacy, and third-party access to data. Focusing instead on detailed specifics, few, if any, scholars have attempted to construct what would be most useful from a managerial perspective - a comprehensive overview of the legal landscape complete with ways to combat its risks. Much the same can be said of governance, risk management, and compliance (GRC) frameworks. Even though GRC models have been studied for example from an IT perspective, limited progress has been made in developing a framework aimed specifically at providing guidance for ensuring regulatory compliance and minimizing legal risks. In order to assemble a comprehensive view of the relevant legal framework, we study the cloud service contracts of twenty-one service providers in addition to the main regulatory statutes in the European Union and the United states. The empirical material and focal points have been selected based on their significance for both cloud users and service providers in business-to-business relationships.

Findings and conclusions

Based on our analysis of the cloud environment, it is evident that the existing legislative framework is severely crippled by various weaknesses. Even though contracts are extensively used to overcome these aforementioned deficiencies, even the broadest and most detailed documentation is futile in face of all the shortcomings. Existing legislation has failed to adapt to modern technologies, remaining fragmented and controversially applied, thus creating conspicuous gaps between a literal interpretation of the statutory texts and the factual use of cloud technologies. Even future legislative reforms are thus unlikely to displace the need for new governance, compliance, and risk management measures focused on legal issues.
Master's theses are stored at Learning Centre in Otaniemi.