PII in the Sky – A Cloudy Outlook
May 9, 2014 Leave a comment
- Asian governments are evolving their approach to managing PII data through legislative frameworks.
- Data privacy rules are converging across the region, but the onus for protection still rests squarely with the enterprise.
A fully realized cloud infrastructure promises server, storage and applications (along with all their data) floating in a glorious OpEx soup. Managed from afar, provisioned in minutes, flexible and scalable – there is little to dislike. However, for enterprises operating in multiple jurisdictions in Asia, data protection remains a key issue in planning deployments of cloud solutions.
Mid-April 2014, the Australian government issued its latest update to the Privacy Act 1988. The latest changes require that all Australian organizations understand where personal identifiable information (PII) about customers and employees is located. Whether the hosting organization be in Australia or offshore, it must comply with regulations, including the requirement that PII about Australians be located in Australia.
Data privacy and transmission regulation is increasingly a topic across the Asian region. The APEC Cross-Border Privacy Rules (CBPR) is a relatively new development and operates where businesses submit their plans for governing data transfers to ‘accountability agents’ that are responsible for assessing and ultimately certifying whether businesses meet the standards set out in the CBPR. Those rules contain base requirements that relate to how personal data is collected and used and how secure the information is. The CBPR governs the transfer of personal data between all 21 APEC member countries, with the U.S. being the first formal participant and the Federal Trade Commission serving as the first enforcement authority. Merck and IBM are the first two companies with privacy programs certified under CBPR.
Singapore enacted its Personal Data Protection Act in January 2013. Under the PDPA, organizations will generally be required to obtain individuals’ consent in order to collect, use or disclose their personal data.
Gaining and maintaining certification under these privacy programs is not for the faint of heart. For the IT manager looking to operate in Asia across multiple jurisdictions, careful planning is required to navigate the shoals of data privacy, with market share reduction and major financial losses the penalty for failure. Protection of that data against unauthorized access and securing that data during transmission across borders needs careful consideration.
One solution offered by Bloomberg (known as ‘One Vault’) leverages the company’s data centers in 55 countries, allowing data compliance and archiving policies that can be configured at the employee level to abide by prevailing regional regulations for all corporate content, including e-mail, mobile communications, social media content, instant messaging, files and documents.
Though the promise of simplified IT management and flexible deployment of assets sits at the core of cloud, the protection and management of sensitive data in that cloud remains a challenge in the planning, deployment and ongoing utilization of cloud-based repositories. Establishing a firm partnership with a knowledgeable and capable cloud services provider will be key to staying on the sunny side of the law.