Privacy in the time of IT Cloud Services

It has become very clear that in the last couple of years, the management of personal information has built momentum and it is on everyone's minds.

The introduction of privacy and personal information protection legislation has helped stir the conversation on this direction, but the mismanagement of personal information by big players in the tech industry has firmly set that route.

The new trend of "free" services for consumers and the convenience to have information stored in the "cloud" and have it follow you wherever you go and on whatever device you have, has been a breakthrough on our approach to technology and to information management. But the biggest breakthrough or "bang for your buck" has certainly been for organizations themselves.

Cloud services available to anyone, anywhere

What was unthinkable and cost-prohibitive 15 years ago in terms of setting up an IT environment to start a business, to be competitive or to have access to cutting-edge applications that would allow organizations to provide innovative products or services, has become as easy as just making the decision to get started.

Cloud services have allowed individuals and organizations to rely on the computing power of the large providers, thus avoiding the considerable capital and operating expenses that in-house IT infrastructure requires. This set up democratizes innovation and allows just about anyone to have a seat at the table when it comes to offering products and services.

And as great as this is, one aspect that not everyone thinks about is the considerable increase in the complexity of data flows.

Data flows and the implications to privacy

Organizations may have agreements with one IT service provider - call it a CRM software vendor, a marketing automation tool, an ERP system or anything else that imaginations can come up with. But the reality is, those IT service providers have service providers of their own: database hosts, infrastructure hosts, application hosts and the data that originally belonged to the organization, now is in the custody of three, four or more service providers. The challenge is that companies don't really know how these service providers are protecting their data and, more worrisome, their end-customers' personal information.

Legislation such as the GDPR in the EU has tried to tackle this conundrum by ensuring that "data controllers" - which are the organizations that collect and decide how to use personal information - become more accountable about ensuring that said information is well-protected through the implementation of very specific data protection agreements with the IT providers, called "data processors", to ensure that they in turn also protect this information.

This is great when it is a one-to-one relationship between a data controller and a data processor, but what happens when the data processor has sub-processors of their own and the sub-processors do so as well? The complexity of this supply chain makes it almost impossible, when a data breach takes place, to pinpoint exactly where the issue lies and who should be held accountable for it.

Similarly, Canada is looking to amend the Federal Privacy legislation, PIPEDA, to treat data transfers as disclosures and therefore requiring end customers to provide explicit consent when doing business with any organization. This may prove to be annoying at best and futile at worst, but it is clear that regulators are looking at data transfers very closely.

Mitigating the privacy risks of complex data flows

In this environment, companies need to work to manage the risk that these complex data flows raise. This risk is not going away, and it doesn't have an easy fix so it is important for organizations to adopt a few practices that may help with the management of said risk:

·         Develop a data inventory that clearly identifies the type and sensitivity of data that is being stored on each of these systems

·         Identify each of the vendors that provide these systems. Ensure that each vendor has a Data Protection or Information Sharing Agreement that clearly identifies their responsibilities - including being accountable for what their own providers do - towards the protection of personal information

·         Document, as much as possible, the interfaces and data flows between one system to the next to identify vulnerability points or specific areas where breaches may occur

·         Implement a detailed privacy breach response plan and ensure that you include a contact list for all your IT service providers in order to coordinate activities where necessary

Where do we go from here? 

Understanding what information is collected about customers as well as understanding all the places it flows to is critical to mitigate any risks associated with the protection of such information. Taking care of customers’ needs includes taking care of their personal information.

In these times where information is a commodity, using it for the benefit of the individuals that organizations serve is the best way to achieve loyalty, trust and a great reputation.

This post was contributed by Alejandra Brown, President of an IT and Privacy Consulting company and a Sky Northern Security Alliance member. To contact her email info@skynorthern.com