Moving to Cloud Introduces Privacy Risks, Fines
You’re a technology-forward business, so you’ve moved to the cloud. That’s great, you’re joining the many companies getting scalable, more reliable IT and a lower cost.
But there's a catch. Along with these benefits, however, the cloud unfortunately brings unique privacy concerns. Most cloud instances use replication, which replicates your data across multiple datacenters and servers to protect against data corruption, accidental or malicious deletion, or natural disaster. Replication means that any privacy issues also replicate across multiple datacenters and servers.
Perhaps the privacy issue most complicated by cloud replication is the Right to Be Forgotten.
What Is the Right To Be Forgotten?
You can find this right in many privacy frameworks, including California's Consumer Privacy Act 1798.105, Brazil's General Data Protection Law Article 18, and Europe's General Data Protection Regulation Article 17. As more states and countries pass privacy laws, these privacy rules will apply to all companies that operate in the cloud.
The laws vary in each location, but for an example, here is how Europe defines its Right To Be Forgotten:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data.
Cloud Privacy Dilemma: Anonymize or Delete?
If you have a customer in Europe, California, or Brazil, and they ask for your company to forget them and delete their data. What do you do?
Once the request has been made, you basically have a few days to delete all of the data you have on that person. The timeline will depend on where that person lives and what regulation applies to you on that customer.
First, hopefully you have already separated your data that contains personally identifiable information (PII) from your data that does not contain PII, and labeled both for easy access and identification. If you have not, then you probably need ZenPrivata’s Privacy as a Service.
From there, you can delete the customer’s information or you can anonymize it so that it does not contain PII. For most organizations, we generally recommend anonymization, because for most companies, this data is the company’s lifeblood. By anonymizing, you can be compliant with privacy regulations while still keeping useful data.
Anonymization requires deleting the personal information and replacing it with information that does not identify the customer. For name or userID, you need to randomly generate a new ID. All of their other data will be linked to this new randomID. Further, you delete things like addresses and only save the zip code.
Cloud PII Anonymization Should Be Proactive and Use a Strong Algorithm
We recommend proactively anonymizing all of your PII data as opposed to scrambling to anonymize each Right To Be Forgotten request. This is part of a best practice called privacy by design. Contact us to discuss proactive data anonymization if you don't already anonymize PII proactively.
As computing power and artificial intelligence technology improve, it will become easier to connect an individual to their data even after it has been anonymized. For this reason, it’s important to use the best anonymization algorithms to ensure that the anonymization function cannot be reversed. This is why ZenPrivata uses a new branch of mathematics and algorithms designed specifically for privacy. Set up a consultation with ZenPrivata's cloud privacy experts and view ZenPrivata's Privacy Solutions to learn more.