Who Owns Data? Staying On The Right Side Of Privacy Laws
So, you’re well on your way to moving your business to the cloud. You’ve figured out how to go mobile, serve your clients, and attract the best staff. Now that everything is chugging along smoothly, you should probably take a moment to check on your client data. Where is it stored? How secure is the storage? Can governments access the information?
Data privacy is massively important in the world of cloud computing because you, as a business owner, are putting your client data in the hands of your cloud provider. That provider must comply with laws in any (and all) regions where its employees are located and its data is stored. If the cloud provider has data centers in the US, Canada, and India, it must follow the privacy (and disclosure) laws of each of those countries.
At this point in time, there isn’t one universal data privacy law that oversees how data can be accessed and used. Each country has its own. The one constant is that most governments have allowed themselves more access than less. The US, for instance, has devised the Patriot Act which allows the American government to take whatever data it wants. Other countries have passed variations on that theme. You become subject to the laws of all countries where your data is stored. Yikes!
Before the fear of data breaches forces you to make a beeline back to last century’s technology, let me reassure you. There are ways that you can protect the sensitive data that your clients have entrusted to you.
Choose your cloud provider very carefully. Through the last decade, more niche cloud providers have come into being. These are companies that specialize in very specific markets and tailor their services for those businesses. Insynq, for instance, has been providing cloud services to the accounting and financial services sector for 20 years now. Our services and solutions can be easily customized to the needs of any business in that industry.
When you draw up a contract with your cloud provider, try to include as many of these items as possible:
– Confirm who owns your data.
– Require the cloud provider to return or destroy your data when the contract ends.
– Note in which country the data will be stored and who will have legal access to it. If possible, ensure that your data can’t be transmitted outside your own country.
Ask the cloud provider what their security procedures and standards are. They should use high quality encryption, so that anyone who does happen to spy your data won’t be able to glean anything from it. Find out who can access the data and how they prevent unauthorized access.
Here’s a tip that most businesses never consider. Did you know that you can negotiate audit rights? In other words, you might be able to write into the contract the right to drop in to visit the cloud provider’s data center. That might not be very practical if the data center is halfway across the world. But if it’s nearby, why not?
Will the cloud provider notify you immediately if there’s a data breach? Insist that they do!
data privacy protection tips
Do a data privacy impact assessment. You know the kind of data you collect from your clients. You don’t need to upload all of it to a cloud provider. Customize your cloud solutions so that it fits with your business practices and comfort level.
Use a hybrid cloud. This is essentially one way to customize your cloud experience. You can upload email and other less sensitive information to the cloud while keeping sensitive data stored on your own database or server.
Provide transparency reports to your clients. Whether or not you store some or all of their data in the cloud, they deserve to know how their private data might be accessed and used.
Wondering how to better protect your client data? Give us a call!