By Tyler W
May 03, 2023
Data Privacy Obligations
Do you know who is responsible for your data? Hint, the answer is in the question. It is a common misconception amongst my clients (at least initially) and many of my enquiries that it is the responsibility of who is provifing them the storage, such as Microsoft, Dropbox, Google. With the proliferation of cloud storage solutions it is easy to think we can abdicate the responsibility of this data to the provider, because, after all, they are the ones storing the data. It rarely works like that, and if we are the ones entrusted with the data from clients, then we are the ones who are responsible for it. You cannot abdicate responsibility of this data, especially when dealing with Personal Identifiable Information (PII). As a result it is important to have a thorough understanding of where your data resides, and where it passes through.
I am a serial pest, on behalf of my clients, at getting to the bottom of this. Many of my clients deal in personal identifiable information, and as a result the impacts of 'data leaks' is severe. Getting to the bottom of where your data resides is an easy process, and often just requires a phone call (or several - but don't give up!) to your storage provider. Ask the questions, and have a clear understanding of your data. Some of the simple questions to ask are:
- Where is the data stored? [What country is the server located]
- Where does the data pass through? [What servers in what countries does the data pass through]
- Is tn encrypted at rest? [Can anyone read the data, or just me, when it is idle]
- Is it encrypted in transit? [If the traffic was intercepted would the data be exposed]
- What encryption standards are used? [Are they state of the art or easily decrypted]
- Do you have an active intrusion detection policy? [Do they know if someone is snooping around and exfiltrating data]
If you are able to get answers to these questions you will gain greater transparency on your data, and the risks that you maybe exposed to. Ideally you will get encouraging answers to these questions, and gain assurances that your data is secure, and private. Holding the storage suppliers accountable evidences that you place a high value on privacy and encourages them to be compliant, with you, which impacts you positively in many ways.
There is the possibility that you may receive answers that are less than encouraging, and as a result you may need to do some additional digging, or compliance adjustments, such as changing storage providers or adding privacy contingencies.
Again this is a common service we provide but there is no reason you cannot get to the bottom of this riddle yourself. If you are a customer, then they are obliged to answer your questions, it just may take a bit of time. Persist, and be the squeaky wheel that gets the grease! If you fail to hear from them, it could be a sign that they are not going to answer in the affirmative, and as a result you may need to consider changing providers as a preventative measure.
Protecting your data, and that of your clients is of critical importance, as you do not want to be an OAIC Notifiable Data Breach statistic. This is the week to get these questions answered, and know exactly where your data goes, and where it lives!