Knowing Where Your Data is: The Policy & SLA Challenge
By Miriam Konradsen Ayed
Worrying about data privacy and cloud computing is so easy because the fear is so simple to express: “Our data is in the cloud! We don’t know where that is!” Then comes the hand-wringing about transferring data across international borders, European Union privacy rights, and cyber thieves; and everyone panics.
Let’s unpack all that, to understand what role the compliance officer can play when dealing with “the cloud.”
Modern data security risk is really about vendor risk management. Your organization gathers a pile of data and hands it to a third party for storage or processing. That creates a legal obligation for your company to assure that the third party can adhere to whatever compliance obligations you have for collecting that data in the first place.
The EU’s General Data Protection Regulation is a great lens through which to understand the issue. The GDPR defines a data controller as the entity that decides what data will be collected, and how it will be processed. The data processor is the entity that actually carries out the processing.
Article 28 of the GDPR says that data controllers shall only use data processors with sufficient policies and procedures to fulfill the GDPR’s privacy rights. That’s where vendor risk management enters the picture. And since one right under the GDPR is the “right of portability,” allowing consumers to decide where data about them is stored, this is where fears about the cloud enter the picture, too.
The simplistic response is to view this branch of GDPR compliance as an IT issue. For example, your chief information security officer (CISO) might work with vendors to map where all personally identifiable information is stored, and then direct personally identifiable information (PII) to be moved to GDPR-compliant locations as necessary.
That’s only the first step. (In fact, this step assumes your organization already knows all its technology vendors and sensitive data, which is a big assumption to make.)
Your organization will still need to ensure that it remains GDPR-compliant over time. That’s going to require evaluation of vendors, drafting of contract language to enforce your GDPR obligations, and monitoring to ensure they fulfill their duties to you as your organization fulfills its duties to EU citizens exercising their GDPR rights.
The cloud itself needn’t be feared. For example, a company can store the PII of EU citizens outside of Europe; it simply needs to get their consent first, and give them an option to revoke that consent and bring their data back home.
From a technical standpoint, that may not be easy; it may even be cheaper to keep EU citizens’ data in Europe. But from a legal standpoint, the cloud is a perfectly fine technology to use if the company can ensure GDPR compliance while using it.
That’s going to require lots of cooperation between the compliance and IT departments. It will require due diligence of vendors, policy management, monitoring, escalation procedures for violations that do occur, and lots of documentation to prove that your organization has done the necessary work to keep data safe in the most cost-effective way.
And then your fears of the cloud can blow away in the breeze.
Federal appeals court upholds 5.6B USD Visa and Mastercard settlement
What is compliance risk management?
The DOJ updates its guidance on corporate compliance programs