As companies of all sizes begin to store data in the cloud, privacy issues have become big news. Apple co-founder Steve Wozniak commented on the cloud, saying that “the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”[1] A major problem for companies is a lack of control over data. Companies often depend on service providers to secure, protect, and maintain access to critical company information. The issues companies face as they try to keep data compliant in the cloud don’t end there. Privacy laws are more common and carry stricter requirements and penalties. This means it’s vital to comply with personally identifiable information (PII) mandates, including jurisdiction-specific requirements, no matter where your information is stored.

In response to jurisdictional issues and confusion over inconsistent Data Privacy Security and Transfer Requirements, a group of 44 lawyers from 32 countries took action. They created an initiative titled “The Data Privacy Compliance Cloud Privacy Check” (CPC/DPC) to provide straightforward guidance.[2]  By providing a “Cloud Privacy Check process,” the CPC/DPC helps cloud users navigate data protection obligations. The questions include:

  1. Does the transaction include any personally identifiable information?
  2. Does a third party involved in the setup of the cloud process have access to personal data?
  3. Does the data leave the jurisdiction of the customer?
  4. Is the cloud provider using subcontractors in the setup?

Questions 1 and 2 guide whether PII obligations exist. Questions 3 and 4 define the obligations to manage PII in the cloud. In addition to this handy checklist, the CPC/DPC provides comparisons of privacy requirements across 32 countries. Country-specific reports help companies understand and plan for the complexities of maintaining information across borders.

The nature of and increasing reliance on cloud storage presents unique challenges for information and records management. Information governance holds data—local- and cloud-based—to the same standards. It is important to maintain cloud-based information in line with company policies and all governing laws and regulations. As the CPC/DPC Checklist shows, an assessment can go a long way to ensure your business manages all information appropriately.

Contact Zasio today for a privacy impact assessment to help you navigate challenges proactively. Whether your data is stored locally or in the cloud, we can help you stay compliant.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] http://www.forbes.com/sites/joemckendrick/2012/08/06/apple-co-founder-steve-wozniak-distrusts-the-cloud-is-he-right/#50c5c7b47ef8

[2] https://cloudprivacycheck.eu/

Author: Jennifer Chadband, IGP, CRM, ECMp

Author: Jennifer Chadband, IGP, CRM, ECMp

Senior Analyst / Licensed Attorney