In today’s increasingly cloud-based world, companies are migrating to hybrid and multi-cloud environments against the concerning backdrop of COVID-19 – either as part of their conscious digitalisation efforts and workflow automation or to enable remote access to company resources. Many digitalisation efforts have been made hastily because of the need to facilitate work-from-home requirements without delay.
These may create potential security issues and, when they involve processing personal data, privacy issues. So organisations must keep in mind data protection/privacy laws that govern how personal data is processed.
Any data breaches, abuse of personal data or non-compliance with data protection rules and regulations will get an organisation into trouble with the law. Where personal data is stored in hybrid and multi-cloud work systems, the risk of encountering such trouble may be increased.
To tackle data privacy risks in a landscape where workflow automation and cloud environments are intertwined, here’s how organisations and startups can comply with data protection requirements.
Also Read: Data privacy in a digital-first world
Ensure proper governance of personal data
Many data protection laws in the ASEAN region require organisations to appoint a data protection officer to ensure proper governance of personal data.
Even where there is no such requirement to comply with applicable privacy laws, a suitably senior employee should be tasked with ensuring proper governance of personal data.
In addition, there should be a dedicated governance team or committee in place to ensure that personal data is safeguarded according to the legal requirements. Such a team or committee ordinarily comprises each department’s heads that handle personal data in their operations.
The data protection officer, or other individuals in charge of personal data governance, will act as the subject-matter expert and co-ordinator of governance activities.
The governance team or committee must first understand the data life cycle of all business and workflow processes within the organisation (that is, where personal data is collected, used, disclosed, shared, transferred to another country, or stored and disposed of) before they can comply with local data protection requirement.
Regulators expect organisations to demonstrate accountability for compliance with data privacy laws. Fortunately, despite new regulations and amendments being introduced (such as in China, Indonesia and Thailand), the data protection rules or principles are similar in each country– this makes it relatively easier for organisations to comply from a regional regulatory perspective.
Also Read: WhatsApp takes a U-turn in its data privacy. Is it time to switch to alternative platforms?
Assess the risks involved in processing personal data
The first step in the compliance process for both startups and well-established organisations is to identify the following risks:
- Personal data risks, especially sensitive data (e.g. financial data, health data, persons infected with COVID19, etc.)
- High-risk processing, especially in the cloud (analytics, automated decision-making, artificial intelligence and machine learning, predictive analysis, etc.)
- Risk areas or gaps in new digital processes, online projects or products that the organisation creates
- Use of third-party outsourced services and platforms (e.g. web hosting services, SaaS platforms, shared services, etc.)
What makes processing personal data in the cloud a vulnerability, as part of the monetisation model, work automation or digitalisation efforts, is that data is being disclosed or shared outside an organisation.
This means that it is beyond the organisation’s direct control from both a privacy and security perspective. The organisation is totally dependent on the cloud service provider.
Also Read: Ignorance is never bliss: What a whitehat taught me about data privacy
Under data protection laws, a company can delegate the performance of these tasks to third parties. Still, it cannot delegate the responsibility for performing them by data privacy laws. Therefore, a regulator will first look to hold an organisation accountable for any data breach, even if it originates from the outsourced vendor.
Enforcement cases show that organisations that do proper due diligence when selecting external service providers or cloud platforms and have contracts with them that cover all relevant aspects of data protection, including technical measures, can convince regulators that these third parties may be accountable for any data breach originating from the outsourced vendor.
Then there are inherent privacy and security risks to companies using the cloud to process personal data, where the organisation has poor practices in place such as:
- Not obtaining consent when collecting, using or disclosing personal data
- Excessive or illegal processing of personal data
- Unauthorised access to personal data (e.g. absence of access controls or use of poor access controls) or unauthorised disclosure of personal data due to lack of security measures
- Indefinite storage of personal data, by the organisation or cloud service provider (even when contracts have expired or been terminated), after the business or legal purposes for processing the data have been fulfilled.
- No safeguards in place for cross-border transfers – that is, an organisation using a cloud service provider without finding out whether personal data will be sent out of the country by the provider
As employees use more automation tools online, they may also opt to use free SaaS or cloud services (e.g. simple CRM or email marketing software), thereby putting employee or customer data at risk. Even with good intent, such work practices may violate company security policies and fail to comply with data privacy laws.
Put together a comprehensive data privacy protection management programme
Once the organisation is aware of its privacy and security risks, the governance team should implement a data protection or compliance programme to ensure systematic compliance from an operational perspective.
Also Read: Ignorance is never bliss: What a whitehat taught me about data privacy
Risks must be identified, and at least all key risks must be addressed by relevant controls, policies and procedures intended to ensure compliance. These should be documented and implemented to educate or train employees accordingly to prevent security or privacy lapses.
The data protection law is not prescriptive, meaning it cannot prescribe for every scenario, especially in hybrid or multi-cloud systems; companies can adopt standard industry practices.
For example, the ISO/IEC 27018:2019 is the standard code of practice to protect personally identifiable information (PII) in the cloud. Organisations, especially startups that utilise cloud platforms to store personal data in their business operations, should strive to achieve the certification to provide further confidence and accountability to their consumers, creating stronger business relationships.
The relatively new ISO/IEC 27701 – an extension of the popular ISO 27001 information security is another industry information security standard that companies can use when implementing their data protection management systems.
As a rule, companies should conduct penetration tests on any online portal or application.
Besides safeguarding data, companies are expected to audit their policies and practices to ensure effectiveness and respond to complaints, queries and even data breaches (as a regulatory requirement).
Importance of having a Data Protection Officer (DPO)
Due to both the legal and operational requirements of data protection laws (which also mandate the appointment of a DPO), there is now a shortage of experienced and trained DPOs.
This, coupled with highly publicised data breaches and enforcement actions by regulators, has created a demand for data protection expertise and professionals, especially by larger organisations and those operating online.
Whether your firm is a startup or a well-established company operating in today’s pandemic environment, a data protection officer will help you run your data protection management programme and navigate the issues of handling personal data and operating in today’s digital economy.
–
Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic.
Join our e27 Telegram group, FB community, or like the e27 Facebook page
Image credit: dragonstock
This article was first published on November 17, 2021
The post How companies can manage data privacy in hybrid and multi-cloud work environments appeared first on e27.