Cloud computing holds data and online services in ‘the cloud’ so you can connect from anywhere, at any time – provided you have Internet access! It’s a fantastic resource for home workers and remote computer users. Cloud computing service providers store data over multiple servers in multiple jurisdictions. The server hardware your company uses may be shared with other parties and your cloud server may be hosted in another country.
There are many different standards governing cross-border movement of personal data/personally identifiable information (PII). Some countries require local personal data/PII to remain in the country. You must remove personal data/PII from documents that may be moving across borders.
The European Commission, the Swiss Administration, and the US Department of Commerce designed the Privacy Shield Framework to provide a framework that US and European companies can comply with when transferring personal data from the EU and Switzerland to the US. The Privacy Shield Framework protects the fundamental rights of individuals in the EU and Switzerland if their personal data is transferred to the US. The Privacy Shield Framework replaces the EU-US Safe Harbor scheme which was annulled in 2016. Any organization that joins the EU-US and/or Swiss-US Privacy Shield Framework will be withdrawn from the Safe Harbor Framework by default. When an organization joins the Privacy Shield Framework, the organization is considered to have adequate privacy protection for the transfer of personal data from the EU and Switzerland to the US.
Physical ownership of the hardware used by your Cloud Service Provider (CSP) gives them access to any data using the cloud. Regardless of intent, this access could result in breaches of data privacy. There can also be legally sanctioned breaches of server security, such as US security agencies intercepting communications. Under certain US laws, there are reporting and notification requirements when a data breach has been discovered. In the EU, under the GDPR, the company responsible for the breach must notify the relevant regulator within 72 hours of becoming aware of the breach. Generally speaking, organizations must also notify the individuals impacted, including their customers, without undue delay after first becoming aware of the breach.
Be sure to notify Legal if you discover or suspect that we have had a data breach, so that proper reporting can be done swiftly.
You should always encrypt sensitive or regulated data that might pass through the cloud. Use Public Key Infrastructure (PKI) digital certification to safeguard secure communication on a public network. Make sure all files on the cloud have a local backup.
If you’re working remotely on your personal laptop, you could be using an unsecured network. If your laptop is hacked, that person might have access to your cloud data. Always use Virtual Private Networks (VPN) to ensure a secure Internet connection.
Alison needs to identify the data privacy risks associated with moving our customer databases to the cloud. Her first task is creating a project team folder. She asks your advice on what she needs to consider to avoid a privacy breach.
- The location of the server that contains the folder.
- The number of files that she can store in each new folder.
- If the folder’s physical location will change.
- If anyone within the Cloud Service Provider will have access to the storage.
- The backup options available.
Responsibility and accountability always remain with the company even if the physical location of the data is disputable. It’s your responsibility to know the risks associated with using the cloud, and to prevent breaches in data privacy.
Alison is based at the EU headquarters, but her team is working in New York. She gathers samples from several of the national databases to send back to the project team in the United States. Her company participates in the Privacy Shield Framework. She asks you what she needs to do to ensure secure communication.
✓ Remove references to the original authors’ names and business units before sending.
✓ Remove the document’s local backup after uploading to the cloud.
✓ Only upload PII if it is permitted by company policy and it is strictly necessary for the project being undertaken.
✓ Use Virtual Private Network (VPN) or equivalent to connect to the cloud.
Alison should comply with corporate policy regarding sending personal data to another country. If in doubt, she should remove all the personal data, as some of the data could be stored in a jurisdiction where personal data cannot cross international borders. Once the personal data is removed, the document no longer contains sensitive data that needs to be encrypted. However, other protections may have been put in place to ensure the transfer is protected. Always use a secure private connection when transmitting data.
- Physical ownership of the hardware used by your Cloud Service Provider gives them access to any data stored in the cloud. Regardless of intent, this access could result in breaches of data privacy.
- You should always encrypt sensitive or regulated data that would be stored in the cloud.
- You should use PKI digital certification or Virtual Private Networks to safeguard secure communication on a public network.
This content is an extract from the data privacy training course.