Manage Learn to apply best practices and optimize your operations.

Compliance rules complicate nonprofits' move to cloud-based computing

As nonprofits turn to cloud-based computing, these organizations must be aware of how moving to the cloud influences regulatory compliance processes.

Nonprofit agencies rarely have compliance managers. If a small nonprofit is lucky, it will employ an IT manager who handles compliance strategy -- but more often, it simply relegates those tasks to an office manager or assistant director.

Vanessa JamesVanessa James

Sparse staffing and budgets are the primary lure for small nonprofit organizations turning to cloud-based computing services, but many nonprofit directors are still hesitant to make the move, concerned that cloud computing's quirks could be their organization's downfall.

Compliance realities are a big part of these concerns. No matter what departments are managing applications and data, organizations must be sure that all of their associates -- from staff to volunteers to vendors -- are adhering to relevant industry rules and regulations.

Nonprofit CIOs and IT managers are experiencing increased complexity in their compliance endeavors simply because their funding sources often require various compliance-related controls. Without the assurances that come from meeting regulatory compliance mandates, the organization could be denied federal funding or grants.

With proper due diligence, consideration and planning, cloud-based computing can be a beneficial choice for the small nonprofit.

This layer of risk makes it crucial that nonprofits engaging in cloud-based computing services -- whether via a public cloud or through a cloud services provider -- first assess a few crucial areas to negate cloud computing's potential compliance snags.

Is your provider onboard with compliance?

First and foremost, it's up to the CIO or IT director to confirm that the cloud vendor is qualified to maintain compliance with any of the regulations governing their particular funding sources and/or relevant federal restrictions.

Many cloud providers have already started following all forms of compliance dictated within myriad federal, state and private trust-driven grant regulations, as well as laws mandated within certain industries. However, you can't leave this particular element to chance: If a data breach occurs, it's the nonprofit organization that will ultimately pay the price.

Nonprofits are not completely adrift. The Health Insurance Portability and Accountability Act (HIPAA) requires by law that cloud service providers serving health care organizations are considered "covered entities" and are thus inextricably linked to their contracted clients.

More on cloud-based computing strategy

Use risk management frameworks to ensure cloud security

Proper planning, strategy needed to alleviate cloud security risk

Therefore, like any other employee or contractor, these organizations are mandated to provide a secure, confidential environment for data storage, transfer, monitoring and incident response. The service providers are also required to meet the specific policies and protocols required by HIPAA §164.312.

Nonprofit organizations looking to alleviate compliance concerns also face potential operations-related security and confidentiality issues when moving to the cloud. The nonprofit's executive director must diligently take the necessary steps to ensure the cloud provider is meeting the agency's specific compliance concerns -- especially when it comes to grants and other funding sources for the agency.

Plan for cloud-based computing security

With proper due diligence, consideration and planning, cloud-based computing can be a beneficial choice for the small nonprofit, especially for those with limited office space, operating capital and staff.

There's no reason nonprofits should fear the perceived disadvantages of these technologies. Cloud-based computing, whether it's a free cloud storage option or a contract with a fully serviced cloud provider, has the ability to give small nonprofit organizations the chance to play with enterprise-grade computing power on a very small budget.

As long as the nonprofit selects a cloud-based storage provider that is grant-compliant, establishes a definitive and rock-solid service-level agreement with the vendor and has conducted a thorough IT consultation, the cloud will signal a step in a new -- and quite attractive -- direction for nonprofit agencies willing to embrace the technologies.

Vanessa James is a business technology consultant and blogger. She enjoys reading about new technologies and issues regarding the IT world. Her work has been published on TechRepublic, IT Manager Daily and The Higher Ed CIO blog.

Let us know what you think about the story; email Ben Cole, associate editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Managing governance and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.