We all live online lives. We do business there, we socialise there, we network there. Because of this, individuals, businesses and governments have all become increasingly concerned about how digital information is protected – and how we preserve personal privacy, corporate assets and government secrets. But how does this affect businesses? At the moment, most organisations are focused on managing the migration from on-premise to cloud-based infrastructure. However, while this is going on, governments and regulatory bodies worldwide are seeking to regulate future cloud data, meaning enterprises need to learn a new way of doing business in the cloud.
Many countries are now attempting to overhaul current data privacy legislation, or introduce new legislation. For example, Brazil has introduced the Brazilian Internet Act which deals with the treatment and use of personal data on the internet, and Hong Kong data privacy laws underwent major reform in 2012, although the section dealing with international data transfer has not yet been enacted. Also, and perhaps more importantly, the European Union (EU) is to implement the General Data Protection Regulation (GDPR) (see the latest news on this here), which will replace the EC Data Protection Directive (Directive 95/46/EC) and the fines for data breaches are set to be around 2% of global revenue should there be any violations. This could mean billion dollar fines for some of the world’s highest profile companies.
Understandably, as countries and regions step up their game, it has added to ongoing issues surrounding the topic of ‘data sovereignty’. At Intralinks, we see data sovereignty as an umbrella term for anything related to the protection of data, spanning data privacy and its associated laws and regulations, data encryption, transfer, storage and overall information governance.
What does the GDPR mean for me?
Even though the GDPR is an EU regulation, it impacts all global organisations doing business in Europe. As regulations go, it is in the ‘heavyweight’ category. It is set for finalisation by the end of this year, with a two-year implementation phase in 28 countries. As a result, there are certain questions that global businesses need to ask cloud providers.
Broadly, a few key questions that businesses need to ask their cloud partners are:
- Is my data being processed and stored inside the European Economic Area (EEA)?
The EEA includes countries within the EU, as well as Iceland, Norway and Liechtenstein. This is a very important question because data is not allowed to leave the EEA unless certain provisions are in place or met. Currently, there are 11 countries outside the EEA that the EU deems worthy for data storage and processing, including New Zealand and Andorra. Otherwise, Binding Corporate Rules (BCRs) or standard contractual clauses need to be in place. Previously Safe Harbor could be used to transfer data from the EU to the US, however this has now been declared invalid by the Court of Justice of the European Union.
- Do you have sub-contractors?
It is common for cloud providers to work with contractors when transferring, storing and processing information. If this is the case, information governance frameworks need to be in place to ensure the contractors also comply with the data privacy legislation. If not, this could cause huge damage.
- What technical organisational measures are in place?
This is an important point. Every cloud provider should have measures in place for protecting personal data, and organisations need to understand how their data will be secured and protected. This is already a requirement under the EC Directive – the current data protection legislation in Europe.
Is it just about regulation?
Aside from simply understanding regulations, we believe customers need options when developing their cloud strategies as data privacy laws begin to change. Enterprise customers need to think about their current technology infrastructures, together with their governance procedures, to see what needs an upgrade. Unfortunately, there is no “one size fits all” answer, which is why businesses should consider a number of things.
Firstly, the location of datawill remain important for enterprises and countries which will always insist on some level of data residency. From a legislative viewpoint, the matter of ‘where data is’ is critical. Fundamental concerns in the legal world include clearly defining the point of control over sensitive information i.e. where the point of encryption resides. This is why physical data location is often used to help define the wider privacy problem in legal circles. Keeping data on premise or in-country also gives data- owners’ peace of mind, especially if they operate in highly regulated sectors. But, in the online world, where data has three states – in use, in transit and at rest - it is also important to assess what technology is able to protect your data in all three states, not just where it is stored.
In a world threatened by cyber-attacks and accidental data leaks, encryption must travel with the file wherever it goes, whether that data is stored on a company iPad, a personal laptop or a corporate server. This means only those authorised to view the content are able to do so. Encryption also helps businesses to control whether data can be used in certain places, implementing rules which are directly tied to the level of the information’s sensitivity. Solutions like Customer Managed Encryption Keys and Information Rights Management (IRM) help support this exercise.
Finally, organisations need to look at governance. Data governance is often a moving target given how legislation is rapidly changing, however it is important for companies housing personal data to ensure their internal policies and procedures are an “information safe haven” – and there are ways in which businesses can work towards this. Some companies are looking at making applications for BCR approval, where businesses allow national regulators to approve their privacy governance and data transfer frameworks. This process is long and can take a few years.
As companies continue to move to the cloud, businesses need to focus their efforts in the right areas and work with the right partners. Those businesses that don’t keep up will risk huge fines, as regulatory powers seek to catch up with the online lives we all lead.
About the author
Deema Freij is Global Privacy Officer at Intralinks' London office and oversees global data governance within the company and is responsible for further strengthening the company's worldwide focus on data privacy and the regulatory demands. Prior to joining Intralinks in 2011 as Legal Counsel, EMEA & APAC, Freij spent seven years as a legal consultant. Before that, she served as legal counsel at European tech incubator and business accelerator GorillaPark, following two years as a solicitor at international commercial law firm Salans. Freij is a member of the International Association of Privacy Professionals (IAPP) and has the IAPP certification, Foundation & CIPP/E..