Last week a new set of privacy principles regarding the handling of personal information came into effect. The changes relate to how businesses handle, use and store personal information. While there are significant changes with a number of benefits for individuals, there have been some misconceptions in the industry with regards to privacy in the cloud that I’d like to address. Here are the top 5 myths that I’ve seen about privacy in the cloud.
1. Use of cloud computing is the biggest privacy risk factor
The notion that the use of cloud computing is the biggest Privacy risk factor that Australian businesses need to worry about is simply untrue. Ponemon Institute’s Survey on Data Security Breaches revealed that 69 per cent of serious data leaks were due to employee activities or errors.
So a lack of internal policies and controls, direct marketing activities, poorly trained staff, stolen laptops and offshore call centres are all bigger risks than cloud computing.
While Australian companies need to be wary of the new legislation and how it affects their IT infrastructure, the direct business benefits of cloud far outweigh these alleged risks.
2. It is unclear which jurisdiction my data is held in
This is a common misunderstanding among businesses. The word “cloud” suggests to some that your data is floating around in some unknown location, implying transborder data risks under the Privacy Act. The reality is your data is still yours, and it’s still on a server in a data centre. The data centre just happens to be owned by someone else. Cloud providers are overwhelmingly transparent about where your data is stored and would never move it across regions without your permission. If you’re unsure, a simple call to your provider will quickly clarify any concerns.
3. I can’t control third party access to my data in the cloud
The suggestion that you can’t control third party access to your data in the cloud is another myth. In most cases, the security services and accreditations that cloud providers offer are significantly better than internal IT can deliver. With the use of data encryption and support from your cloud partner, the technology risks are easily mitigated. And of course, technology and human risks exist whether you are hosting your data internally or externally.
4. Australian privacy law is tougher than elsewhere
Understandably, there are lots of businesses that are concerned about just how tough the new privacy laws are. In particular, they are worried about the cost of compliance and potential for significant fines (up to $1.7 million).
It’s important to remember that most developed economies have had strong privacy laws for some time. The EU established one of the more comprehensive with the 1995 Privacy Directive covering 27 countries, with Spain and Germany having issued many stiff fines. Many South American countries, including Peru, Uruguay, Argentina, Costa Rica and Mexico have issued Privacy laws to open trade with the EU. In Asia, Singapore passed a privacy law last year that protects personal data for ten years after a person’s death, while South Korea’s privacy law even covers a person’s image or voice.
5. I don’t need to worry about it
Despite my other comments, complacency remains the most dangerous myth! Businesses that think they don’t need to worry about security and privacy in their cloud are dead wrong. The risks may be similar to hosting data internally, but they still exist. Larger organizations may struggle to effectively audit their own use of cloud services, particularly when they have been adopted within departments, rather than corporate IT. On the other hand small, companies may struggle to understand the risks or establish privacy statements and policies. That said, simple steps can ensure that a company’s use of cloud is not a high risk factor in terms of its overall privacy compliance, when compared to the alternatives available.