Everyone should be worried about data privacy and cybersecurity, given the stringent laws covering both issues here in the Philippines and most part of the rest of the world. Of course, the easy answer to the above question is: Our data is in the cloud! Then comes the next question: Where in the cloud? And the normal answer is: I don’t know where it is! This is followed by the hand-wringing about transferring data across international borders, about the European Union’s privacy rights that fall into place on May 25 this year, and about cyber thieves. That’s the time everyone panics.
Now you will hopefully understand how important the role of compliance officers and data protection officers is; you can add ethical hackers to the list of jobs. Remember, I suggested two weeks ago to hire ethical hackers for a number of reasons.
Modern data-security risk is really about vendor-risk management. You are aware that your organization gathers a huge pile of data and hands it to a third party for storage or processing. That creates the legal obligation for your organization to assure that the third party can adhere to whatever compliance obligations you have for collecting that data in the first place (assuming that you have proper data security and data privacy protection in place).
The EU’s General Data Protection Regulation (GDPR), which takes effect in May as mentioned above, is a great lens through which to understand the issue. The GDPR defines a data controller as the entity that decides what data will be collected, how it will be processed and how and where it will be stored. The data processor is the entity that actually carries out the processing, very often offshore as we in the Philippines know very well.
Article 28 in the GDPR says that data controllers shall only use data processors with sufficient policies and procedures to fulfill the GDPR’s privacy rights where data about them is stored. And, since one right under the GDPR is the “right of portability,” allowing consumers to decide where data about them is stored, this is where fears about the cloud enter the picture, too.
The simplistic response is to view this GDPR compliance as an IT issue. For example, your Chief Information Security Officer might argue with vendors to map where all personally identifiable information is stored, and then direct personally identifiable information to be moved to GDPR compliant locations as necessary.
But that’s only the first step. (In fact, this step assumes your organization already knows all its technology vendors and sensitive data, which is a big assumption to make).
Your organization will still need to ensure that it remains compliant over time. That’s going to require evaluation of vendors, drafting of contract language to enforce the obligations of the privacy laws and monitoring to ensure they fulfill their duties to you and your organization.
If you in the Philippines are dealing with the EU, you will have to be definitely ready by 25 May. But, even if you are not dealing with the European Unions, you will have to comply with the rules set by the Philippine Privacy Commission and similar authorities in many parts of the world now!
Let me add that the cloud itself needs not to be feared. For example, you can store the personal information of people outside the Philippines or Europe or the US or Australia; you simply need to get the consent of the owner of the information first, giving them an option to revoke the consent and their data back home.
As you can see, this is going to require plenty of cooperation between the compliance and IT departments. It will require due diligence of vendors, policy management, monitoring, escalation procedures for violations that do occur and lots of documentation to prove your organization has done the necessary work to keep data safe in the most cost-effective way.
Comments are welcome. And if you need assistance, you can contact me under [email protected]
Flashback: On July 11 I wrote about ‘Open Government Partnership – Part of Fighting Corruption’ and made extensive reference to reports prepared by the Independent Reporting Mechanism (IRM) of the local Open Government Partnership implementation group. The reason why I used the IRM source is that the Integrity Initiative is part of the Civil Society Groups supporting the OGP Program and the reporting of the IRM. In fact, the Integrity Initiative has added progress information to the latest IRM report.