December is Cloud Privacy Month
The cloud offers new and intriguing ways to collaborate in real-time. Every survey involving cloud technology confirms that the cloud remains on top of the list of essential technology for enterprises. Furthermore, there is a definite trend in companies moving toward the use of private cloud, highlighting an increase in concerns over data privacy, security (which includes cybersecurity), and disaster recovery. The 2020 BakerMcKenzie Digital Transformation and Cloud survey reveal that the top 4 concerns for companies engaging cloud providers are:
In our work with our clients, we have encountered additional concerns. These relate to the ability to continue to have control over the data once it has left the controller’s systems. Data is best controlled when it is no longer retained. Even in the event of a Data Subject Access Request, the cloud service provider can prove that the data was in their systems, but it has been permanently deleted, including from backups.
Oftentimes we talk to third-party providers using the powerhouse cloud providers and we ask them to delete the data as soon as it is no longer necessary for the transaction, but retain evidence the transaction has occurred and we hear the typical: “you are the first ones who asked us”.
Third-party providers utilizing CSPs (Cloud Service Providers) too often rely on their capabilities and their certifications (ISO 27018 for example) but what they are discounting is that any cloud solution needs to be configured by the primary user: if the instance is not properly configured, data may be retained ad infinitum.
It is clear that we are looking at an ecosystem of CSPs and the classic approach to privacy and security – which was siloed – no longer works. Cloud Privacy and Security teams need to work together with IT and the business to identify all the risks inherited from engaging a third party that may rely upon several CSPs.
One last consideration: it is the controller’s duty of care (the organization engaging the CSP or the third party using CSPs) to thoroughly review the way data flows, the configuration of the cloud instance, and how it submits or not to Privacy Laws and amend the contract terms and conditions accordingly.
At Managed Privacy Canada, we have reviewed many third parties on behalf of our clients and we have a tried and tested methodology to spot, document, and recommend mitigations for cloud risks. Our privacy risk sweeps will point out your organization’s areas of vulnerability, while our privacy impact assessments scan your projects for possible risks. To book your free 20- minute consultation with our Privacy Experts and take privacy-as-a-service for a spin, visit managedprivacy.ca