Cloud Data Privacy and Security Challenges Part 4: Cloud Data Privacy and Security Challenges
A closer review of the comparison of the three laws reveals some inherent challenges associated with data protection and data privacy compliance, such as:
Explosion of Data Privacy Laws
Governments are taking data privacy rights seriously, leading to a proliferation of initiatives to define, approve, and enact data privacy laws. Each new initiative can benefit from the availability of the texts of existing laws (such as GDPR) that may influence how the jurisdiction’s law is drafted. However, the sheer number of laws creates a challenge for compliance, especially when the business needs to keep track of the data, contexts, jurisdictions, locations, and scenarios in which data security and privacy need to be enforced according to each law. An example of this complication is differentiating between which consumers are covered and in which circumstances. In some cases, the residency status of the data subject is relevant. For example, a California consumer’s data is subject to protection by the CCPA, but not by Virginia’s data privacy law. In other cases, the types of data collected that are protected. For example, CCPA enumerates a variety of types of data that are protected, while the Virginia law specifies “information that is linked or reasonably linkable to an identified or identifiable natural person.”
Variation in Definitions
These laws share intent to empower an individual with respect to protecting an individual’s private information, but even slight variations in definition among the different laws can complicate efforts to categorize a data set’s sensitivity classification as well as implementing data access controls. On example is the definitions of organizations that are subject to compliance. For example, CCPA defines “sale” of data as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer’s personal information for monetary or other valuable consideration.” VDCPA defines “sale” of data as “the exchange of personal data for monetary consideration by the controller to a third party.” In other words, the contexts for covered actions will differ based on the definitions. This means that the business may need to customize their governing policies according to the specific definitions provided in the different source laws. Consequently, it also means that organizations must configure their environments to operationally differentiate between compliance requirements depending on the characteristics of the transactions.
Managing Exemptions
All these laws describe scenarios in which the data protections are exempted or overruled such as for law enforcement or assurance against suppression of press freedom. At the same time, in most cases personal data can be used for the performance of a contract or compliance with a legal obligation, which both may come into play when a business provides customer support or honors a warranty for a purchased product. This means that literal interpretations of what is in the law (such as the “right to be deleted”) might not be adequate for correct implementation. The intent may be to allow the consumer to have personal data “deleted” to prevent its use for targeted marketing. But supporting the exempted scenarios suggests that deletion be effected through some means (such as encryption) that is reversible under the appropriate circumstances.
Managing Data Subject Preferences
The organization must have a system/means for logging and managing each data consumer’s data protection preferences and ensuring that those preferences are observed. This implies managing an inventory of data subject preferences that can accommodate the specific rules for each source data privacy law along with the methods supporting each law’s consumer preference notification mode (i.e., opt-in vs. opt-out).
Conveyance of Obligations
Organizations that share data with third parties must convey the preferences of the data subjects whose data is being shared. In turn, data recipients would need to ensure that they acknowledge and will comply with all restrictions and consumer preferences. When one organization shares data with another, how does it communicate the consumer preferences associated with data privacy compliance? And how do you incorporate compliance with data obligations in a contract in an enforceable way?
Data Security is not the same as Data Protection
Despite organizations’ efforts at deploying perimeter security techniques to prevent data breaches, even the best firewalls can be breached by nefarious actors. Once that barrier has been crossed, though, any reachable data sets are subject to unauthorized access and use. This is complicated even more as companies migrate their data and applications to cloud data platforms.
