Assessing data privacy risks when migrating to the Cloud remains a complex challenge. In a previous post, we looked at the impact of cloud migration from a cybersecurity perspective. That article explored the acceleration of Cloud Computing used to manage the increase in home working requirements due to COVID-19. But security is not the only issue on the cloud computing agenda. Privacy has become an important aspect of business life. Regulations that put a focus on data privacy, such as PIPEDA, CCPA, and GDPR, have stringent expectations over data processing. Added to this, customers have high expectations of how their data should be handled.
Here, we look at some privacy considerations when accelerating your cloud computing needs during the coronavirus pandemic, and beyond.
Privacy has continued to hit the headlines over the last year. Reports and surveys concur that privacy matters to customers. A 2019 Cisco survey on consumer privacy attitudes, found that 84% of respondents care about privacy and were prepared to ‘take action’ to protect it. Privacy is both an ethical issue and a customer care demand; privacy is also now a regulatory requirement.
Regulations that involve privacy have entered the business landscape and enforcing stringent data protection on the pain of large fines. Data privacy and protection regulations exist in many countries, and some, like the EU’s General Data Protection Regulation (GDPR), have wide-reaching scope and impact.
Cloud computing complicates privacy because it extends the reach of personal data. Data is a fluid entity and when it exists across, often complex, multi-cloud infrastructures, it can be harder to discover and categorize. Data is potentially more difficult to control when myriad cloud apps, web servers, and databases, across multiple jurisdictions, are used. But no matter what infrastructure an organization uses, it must place focus on data privacy.
Below, are outlined three key considerations when cloud computing and data privacy dovetail.
Data sovereignty is a term used to describe how an organization should abide by the data protection laws of the country where data is processed. In complying with these laws, a company handling personal data must be compliant with data protection laws across the entire data lifecycle, wherever these data are located during that lifecycle. This has implications when choosing a cloud provider; often data may be gathered and stored in one location then processed elsewhere.
Ensuring governance of data across the entire lifecycle within multiple cloud infrastructures can be onerous. And, it can also have privacy implications. GDPR and CCPA, for example, have geographic jurisdiction regulations for personal data processing. For organizations that employ the services of a public cloud, they must know the location of data across all data states, from storage (data at rest) though sharing (data in transit).
During this period of lockdown, businesses are using new modes to communicate. This includes using online meeting portals, like Zoom and Microsoft Teams. In a recent post, Microsoft said that remote working had caused a “significant spike in Teams usage, and now have more than 44 million daily users”.
Cloud migration has enabled remote workers to effectively engage using online portals. But it is important to ensure that the same privacy and security considerations shown inside the confines of an office or boardroom remain in place in a home office. Discussions within online portals have the potential to leak company data that could have privacy as well as security implications. When using online portals, make sure you follow good privacy hygiene practices, this includes:
Data protection regulations set out stringent rules around the handling and processing of customer data. GDPR, for example, has eight data subject rights that must be adhered to, this includes data accessibility, portability, and right to rectification of data. Other consumer data privacy laws have similar requirements covering data processing and data subject rights.
In addition to this, customers themselves have expectations around their data privacy rights. A PwC report found that 84% of consumers will not deal with a company if they don't trust how they handle their data.
To be able to perform data subject rights and to ensure that data is handled appropriately, knowing what data is needed to run a service, where it will be stored, how it will be shared, and how it can be best protected is essential. Within a cloud environment, this is an extended task covering all parts of a cloud infrastructure and out to endpoints.
A Data Protection Impact Assessment (DPIA) can help establish all of the states that data resides in and across such an extended cloud infrastructure. A DPIA focuses on the risks in processing personal data, and how to mitigate them. It gives an organization a tool to anchor their position with regards to personal data processing within the cloud.
Cloud computing has facilitated the online services needed for our businesses to weather the COVID-19 storm. There is a strong argument that without cloud computing, the current pandemic would have had an even greater impact on business. We need the cloud to facilitate many aspects of the modern office. Now that office is even more decentralized via home working, the cloud is coming into its own. If you are accelerating your migration to the Cloud, vigilance around privacy does not go away because of a pandemic; our cloud environments, at both home and in the workplace, need to be of the same high standard to meet the expectations of data privacy.