Grazed from BusinessCloud9. Author: Stuart Lauchlan.
The shift towards Cloud Computing will lead to half of all organisations needing to revise their privacy policies by the end of 2012, according to research firm Gartner.
But for the hard pressed ICT professional or privacy officer, the challenge is going to be how to balance the legitimate concerns and requirements around security and privacy due to their high profile, with not getting carried away unnecessarily and neglecting other responsibilities. ..
Carsten Casper, research director at Gartner, comments:
“ In 2010, organisations saw new threats to personal data and privacy, while budgets for privacy protection remained under pressure. Throughout 2011 and 2012, privacy programs will remain chronically underfunded, requiring privacy officers to build and maintain strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and application development teams. An established relationship with regulatory authorities and the privacy advocacy community will also be an advantage to them. ”
Gartner cited five key privacy related issues need particular attention in 2011 and 2012:
The challenge to traditional legal and technical privacy protection posed by Cloud Computing
Gartner argues that Cloud Computing and privacy are innately at odds:
“Privacy laws apply to one country; the public cloud, in its ideal form, is not related to any country. Privacy officers should not accept "no" for an answer when asking whether the processing of personal information in the Cloud or abroad is allowed. Most privacy laws have some flexibility, guidance is evolving slowly and, in many cases, there are legally acceptable solutions. Organisations should focus on the location of the legal entity of the provider, not on the physical locations of its operation centres. There are other cases when sensitive company information should not leave the country (for example, if there are export control or national security concerns), but in most cases — and usually under conditions — in-country storage is not mandatory for privacy compliance. In some cases, it will be sufficient to ensure that personal data will not be stored in a specific country that is known for its privacy violations. ”
Data breaches
Data breaches rank high on the priority list because of their visibility, but Gartner argues that preparing for and following up on breaches is actually very straightforward and shouldn’t be allowed to take-up too much time:
“Organisations should compartmentalise personal information, restrict access, encrypt data when transmitting it across public networks, encrypt data on portable devices, and encrypt data in storage to protect it from users who have been given too much privilege, from rogue administrators and from hackers. Consider data loss prevention tools, tokenization, data masking and privacy management tools. ”
The advent of location-based services allows personal information to be exploited in new ways
Gartner notes that not every organisation processes geolocation data, but the area is evolving rapidly:
“A specific way of processing may suddenly surface as a privacy scandal (e.g. smartphones storing more location information than expected). Many providers are still in the "collect" stage rather than the "use" stage. They compile vast amounts of information, often without a clear plan of what to do with it. This violates a fundamental privacy principle: Collect information only for the purpose for which you need it. ”
Quantifying the qualitative value of privacy
Gartner argues that there is no right or wrong when it comes to the value of privacy:
“Personal information has hardly any value or sensitivity. Rather, it depends on how data is being processed. Finding the balance between "not enough" protection and "too much" protection is an ongoing process. Legal requirements are a bad guideline as they trail technical innovation and cultural change by several years. Privacy officers should set up a process to identify stakeholders for personal information, gather requirements from them, influence the design of the business process and applications, and plan for adjustments. ”
New regulatory requirements
This is an ongoing challenge, admits Gartner, as new regulations keep coming. But it cautions against dedicating too much time to this as most changes only have a mid to long term effect:
“Absent of any specific laws or regulatory guidance, organisations must interpret existing, generic privacy legislation for emerging technologies like smart meters, indoor positioning, facial recognition on smartphones correlated to photo databases, vehicle and device locators, presence detection, body scanners, and others Monitoring of regulatory changes and, consequently, adjusting the organisation’s privacy strategy are important tasks, but they should consume more than 5-10 percent of the privacy officer’s time. ”
If an organisation’s privacy-responsible executives still have time on their hands, then there is still work to be done elsewhere, concludes Casper:
“The remaining 15-50 percent of the privacy officer’s time should be spent executing the privacy programme, managing relations, steering the privacy organisation, reviewing applications, revising policies, document controls, draft privacy terms for contracts, consulting with legal, responding to queries, following up on incidents and supervising the privacy training programme. ”
