The airport VAT scam: thay are pocketing your personal data along with the extra cash

Much heat was generated last week following the expose by The Independent about the practice of airport retailers collecting passenger destination data in order to report lower VAT revenues while pocketing the VAT effectively paid by those passengers deemed “zero-rated”. I commented, along with many others, on the ethics and legality of the practices but all the time my main focus and concern was elesewhere.

What struck me in the debate – in online forums ranging from the Institute of Directors to consumer advocacy groups – was how little mention was made about the personal data that is harvested from each boarding pass; nor about the legality or otherwise of its capture and use. There seems to be a complacent consensus that “this is just how the business works”.

Firstly, a comment about the law: data protection legislation in the EU (and increasingly, beyond) is clear that electronic data about a person can only be collected and used for:
– lawful purposes;
– with the explicit consent of the person;
– for the purposes of specific, defined, business objectives;
– for as long as the data is required and no longer

That many of these provisions are ridden over roughshod across the economy is thinly veiled with the ubiquitous “privacy notices” that most of us do not read (it has been estimated that it would take you six weeks working full-time to read a year’s worth of such notices). However, many retailers are falling foul of the law just by collecting personal data without providing the statutory privacy notice.

Lesson #1: If anyone asks you for your personal data (to be included in any computerised system), ask to see their privacy notice which is required to state explicitly what the data is being collected and used for.

Secondly, in airports, retailers are indeed required to ask for the destination of a passenger if that has an impact on the sales price, the tax or duty charged to that sale (whether such savings are passed on the passenger was the subject of the previous heated discussions). I’m sure that most retail outlets are trying to do the best by their customers and cut down queuing and processing time: the advent of the 2-D bar code on passenger boarding passes was thus a boon. No more manual checking of paper boarding passes and keying in the required data.

However, the point of sales scanner is not choosy. It scans the entire data set, whether that data is required or not. Different off-the-shelf and proprietary POS software will handle that data in different ways.

The legally prudent and risk-averse retailer would collect simply the destination datum and match that to a particular sale so provide the required and adequate proof to tax and excise services that a certain sale was not subject to duty, VAT, or other taxes.

The lack of analysis from journalists themselves is not very reassuring. From a later Independent article:

Airports may insist that the motive for the irritating demand from their retailers to see a boarding pass is “to understand how demand in our shops changes according to destination, times of the day or during different seasons,” the real reason is to identify purchases for which no VAT is due.

Although strictly true, this is missing the point. Evidence indicates that few retailers who collect personal data will willingly discard that which is not required because therein lies a goldmine for data analytics. Whether it is a benign goal of “knowing your customer” or understanding patterns of movement through a business day, that data is not the retailers to use as they wish without restriction. Remember that your boarding pass does not simply state that Joe Bloggs is flying to New York – it’s telling a whole story of Joe Bloggs, flying in discounted business class in seat 5A, with a OneWorld frequent flyer account, two items of checked baggage, flying today with American Airlines, and who checked in early online. If you are comfortable with sharing all that – and for the retailer to reuse that data in any further way it chooses, then be my guest. But it is your right to know what is being done with your data – and the retailer’s legal obligation to let you know – and to request that it’s use be strictly limited.

Lesson #2: Assume that whoever collects your boarding pass data is going to maximize its use for their benefit – and not just for yours. Note that IATA, the association responsible for the 2-D boarding pass standard, never mentions retailers or indeed any party outside the air travel industry in its guidelines for use of boarding pass data. In the absence of any clear signal to the contrary, retailers have just assumed its OK to use whatever they can get their hands on.

Finally, it is worth thinking about the technology itself: there is an increasing and worrying trend – particularly strong in Silicon Valley – to insist that anything technology can do should be allowed to flourish. And that anyone standing in the way is simply an old-fashioned reactionary. Furthermore, this model of personal data collection fits well with an economy driven (often by desperation) to market ever more aggressively and improve sales. I take a different view based on a societal model that recognizes that laws and customs evolve over time to reflect what is important – and trying to sell me more and more goods that I don’t want, ought to be something over which I can assert some control.

The fact that there are strong (and if anything a trend to stronger) privacy and data protection regulations, is a reflection of societal concern about potential and reals abuses in the collection of personal data. I’m not averse to anyone willingly handing over their data in return for some benefit provided it is done knowingly and transparently.

Lesson #3: If someone wants your data, assume they are making money from it, one way or another. Maybe its time for you to put a price on that transfer and use.

Or to uphold certain societal values that suggest that not all data should have a price tag. In Michael Sandel’s words, we risk becoming a market society rather than a market-driven economy and the difference is important. The latter is a tool; the former is an end in itself where literally anything is for sale. Think about that next time you hand over your passenger data and wonder whether it will affect, for example, future health or life insurance premiums, let alone the price that you will be presented with as an offer for your next flight.

Safe travels!

Posted in Data Protection, Privacy | Leave a comment

Is privacy a barrier to innovation?

A common theme at this year’s IAPP Global Privacy Summit in Washington, D.C., this last week was: how do we address the concern that increasing demands for privacy might stifle innovation?

Well, I have a simple answer: innovation has always been driven by constraints and limitations. It is only the increasingly coddled and slothful culture of Silicon Valley that seems to think otherwise.

Two examples to underline my view.

Firstly, take a look at the two photos below:

The Millau Viaduct, France

Millau Viaduct, Tarn Valley, France
Photo: Emma Dupont

The Vasco de Gama bridge, Lisbon, Portugal Source: gigantesdomundo.blogspot.com

The Vasco de Gama bridge, Lisbon, Portugal
Source: gigantesdomundo.blogspot.com

Stunning feats of engineering and beautiful to boot.
And both constructed according to some of the toughest building codes and architectural standards on the planet.

If the architects had come along and said “Look at our beautiful design but please do not pester us with your petty requests to conform with the law, be safe, or expect us to accept any liability.” They would not get the contract. And yet that is exactly how the whiny young digirati of Silicon Valley would have us believe is the only way to do business: we want the right to build anything we want and to hell with restrictions – you are just cramping our innovation. That small group of multimillionaires may think it’s OK but I’m pretty sure nobody else agrees.

Furthermore, the opposite to their claim is more often true: that constraints and limitations actually spur innovation. Look at Dr Seuss.

The popular children’s author wrote “Green Eggs and Ham” in response to a $50 bet with Random House co-founder Bennett Cerf that he couldn’t write a book using 50 or fewer distinct words. His inspired book was the result of a seemingly impossible, if unrealistic constraint. The constraint enabled the innovation rather than stymied it and the book has sold more than 200 million copies worldwide.

So maybe it is time to tell app and software developers: if you’re so damned smart and innovative, go ahead and develop solutions that are smart, beautiful, privacy-protecting, easy-to-use and cheap – and please don’t come back to us until you have. That would be an innovation race on which I would gladly wager $50.

Posted in Uncategorized | Leave a comment

A vocabulary for digital toddlers

I have a strong memory as a small child around reactions to the word “dog”. We didn’t have a dog at home; neither did our neighbours; but they were around. However, I quickly discovered that I could say the word “dog” and suddenly everyone around me would start looking around – even when there wasn’t one there. Such power from a three-letter word! Such fun! And the fun was particularly when there wasn’t a dog to be seen. This was an early introduction to and fascination with language.

(Please stay with me: you are on the right blog – humour me).

As toddlers, beginning to find our way around the world, we come to understand that ‘things’ out there all have names, labels that we can use to refer to things, even those that  can’t be seen, either presently or at all. I had struggled to understand the word “electric” (and pity my poor parents here) but finally gotten that it was something about being shiny, new, and dangerous to touch. “Electricity”, I assumed meant “electric city” and, knowing that I lived in a city, meant I was in a dangerous place. Thankfully the delusion didn’t have lasting consequences but you can start to see how a little understanding can be potentially dangerous.

In today’s increasingly digital-driven world I feel that I am in a place dominated by toddlers, all struggling with vocabulary for this complex digital world growing around us. We think we understand some words – often, reasonably enough, based on our existing ‘world model’ or our attempts to have the word make sense according to that model – only to be let down at some decisive moment.

Two words clearly represent for me such a struggle: “data” and “privacy”. Together with the myriad phrases that can be built from those two innocuous words (“we value your privacy”, “your data is safe”), we are left – if we care to probe deeper – with a sense of inadequacy, of illiteracy even.

I should explain.

On Wednesday morning, I hosted my annual “Privacy Breakfast” on the eve of the IAPP Global Privacy Summit in Washington, D.C. As on previous occasions, I brought together around 25 friends and colleagues from Europe and the US, from private and public sectors, from legal, research and explicitly privacy-related professions. The theme for this year’s discussion (held under Chatham House rules, so no personal attribution of comments) was the role of Standards in ensuring privacy in cloud-based services.

As more and more services available to us through PCs, laptops, tablets and smartphones are delivered to us from cloud-based platforms, bewilderment and fascination grow around the types and scales of data that flow between our devices and these services – particularly data that might or does impact upon our privacy as individuals.

Whether as a response to public outcry, as a matter of principle or good business practice, we are faced with ever more notices that “we value your privacy” or that “your data is safe with us”. While laudable in their own right, and certainly preferable to silence on the matter, such statements of principle are often not enough, unless there is a pre-existing and strong bond of trust between the parties to any transaction. So how is anyone to trust the claims made by an unknown or untried merchant?

In medieval times, as cities grew, the number of merchants selling wares at a city market (and often coming to the city expressly and uniquely for such market days) far outstripped the small number known personally to any citizen. Reputation obviously played a part but could take time to cultivate and be lost overnight. Weights and measures were the early Standards at such markets – ensuring the customer received the length of cloth they paid for; and the merchant received payment in legally recognised coinage.

The Viennese “El” for the measurement of linen and drapery, embedded in the wall of St. Stephen’s Cathedral by the medieval market square

The statement of principle, “a yard of linen for only three groats!”, was backed up by the recognition of the unit of currency; the quality of the cloth validated by a Guild; and an objective measure of the lengths involved: the yardstick, the “el”, and so forth. The statement of principle was given teeth by having such a measure against which to verify, validate, or refute the claim.

If the claims don’t measure up, customers could run the merchant out of town or have them suspended from their Guild or could turn to the law or public authority to resolve any dispute. Claims again could be tested against the objective measures at hand.

In our conversation on Wednesday, we returned time and again to the role that Standards can play here but also to the paucity of a vocabulary for the digital age. The absence of a common vocabulary, even for critical issues such as cross-border data flows, is damaging. In its absence, we are all forced to rely on extremely subjective (and possibly self-serving) definitions. “It is like competing for privacy in a Tower of Babel”. Customers aren’t making the connections on their own either between claims about privacy and the daily realities of intense and often intrusive personal data mining and profiling (see Jeff Gould’s article for such an example).

There is a world of difference therefore between a cloud-service provider making the sincere but ultimately consequence-free statement “we value your privacy” and another that can demonstrate – often with third party certification – conformance and compliance with an objective set of tests and criteria. In the pre-digital economy, we have grown accustomed to relying on Standards for purchases of whole ranges of goods and services, from a humble lightbulb to a house: we don’t expect the lightbulb to explode; we do expect it to fit the socket; and we expect that the shop only stocks ones that conform to accepted Standards.

In the digital economy, it should be little different: it shouldn’t be down to the end-user or customer to have to read through reams of privacy statements or check millions of lines of code to be sure that their privacy really is being protected. Simple, certifiable and certified statements to this effect ought to be the norm.

Some progress has been made – the ISO 27018 Standard that I have written extensively about in the past couple of months – and new initiatives are underway, such as the one to name, classify and catalogue the many types of data that are exchanged in online cloud-service transactions, so that customers and suppliers can agree contracts and terms of use around commonly agreed terms.

Posted in Uncategorized | Leave a comment

Microsoft confirms compliance with cloud data privacy Standard – one more step in the right direction

I have a particular soft spot for Microsoft’s Office365, I admit it. Ever since my two former companies in Europe (that developed semantic technologies on various platforms, including an open source Apache-based service and Apple iOS) started using SharePoint, I felt that this has a great platform with great potential. When I set up business in the USA in 2010, it felt natural therefore to start using the modest offering at the time, Office Live for Small Business, and when that integrated with SharePoint and other online services to become Office365, it was irresistible – and at an insane price point of $6 per month.

A key differentiator for me was the notable absence of advertising and monetization of my – and my company’s – data. I have just never felt comfortable with offerings like GoogleDocs. If they are scanning every single byte of data coming in and going out of their services, how can I be really certain that some commercially sensitive information doesn’t find its way into the wrong hands? I’d much rather pay a few dollars a month for a service that does none of that.

Despite that, and despite the assurances which I have always taken in good faith, there is always a niggling doubt in the back of my mind: I have assurances in my contract with them but what if Microsoft is analyzing my data for their own monetary gain? How would I know? What assurances do I have?

When so much of one professional life is centred around the development of international standards – and cajouling and persuading people and companies that they really are important, it is nice for once to be in the position of a consumer (and active in the fight for online trust and greater privacy) and feel reassured that a service you are using has been independently verified. And not by just anyone – but by the formidable British Standards Institute, whose track record on standards compliance and certification across a range of domains is world-renowned.

Now, suitably empowered and feeling more in control of my own data – it’s back to work, with Office365, naturally! 😉

Posted in Data Protection, Privacy, Standards | Leave a comment

Apple CEO Tim Cook takes a swing at firms selling your data

Last Friday, President Obama led a White House cybersecurity and consumer protection event, hosted at Stanford University, that was intended to bring together many senior technology company executives. Notably absent were the CEO’s of Facebook, Google and Yahoo – maybe still bearing a grudge against the federal government for the latter’s reported intrusive information gathering and surveillance.

Refreshing on the other hand was to hear Apple CEO, Tim Cook make a clear statement about Apple’s own business practices: “We have a straightforward business model that’s based on selling the best products and services in the world, not on selling your data,” Cook is reported as saying. “We don’t sell advertisers any information from your email content, from your messages, or your Web browsing history.”

This is in stark contrast to the practices of Silicon Valley neighbor Google, whose GMail service was analyzed in detail last year by Jeff Gould during an ongoing class-action suit against the Mountain View giant.

What is difficult from a consumer point of view, however, is to know who or what to believe in this increasingly hot topic. Or, more precisely, to have a reference against which to judge the various statements made. This only serves to underline the importance of formally approved Standards, as I wrote about in December.

I don’t expect Google to demonstrate certified compliance with the ISO 27018 cloud privacy Standard any time soon. It would seem anathema to their core business model and mightily difficult to achieve given the way data gathering touches every aspect of its sprawling empire.

Despite the well-intentioned statements of its CEO, however, there is no evidence that Apple wishes to demonstrate conformance either. Apple takes a very haughty attitude to Standards in general and there is no reason to think that they would lower themselves to actually having to prove a claim here either – relying rather on their formidable marketing machine an enormous uncritical fan-base.

In December last year, Microsoft announced that their Azure cloud services had been certified as compliant. Hopefully others will follow. As I stated in December,

Common agreed Standards help the conversation by, at the very least, providing the right questions that should be asked by fiduciaries.

and again,

The value of many Standards can be as simple as knowing that they exist; knowing that they may be applicable; and knowing who to ask about whether they apply and are applied.

The ISO/IEC 27018 Standard exists; we know that it applies to privacy in cloud-based services and helps protect personal information; we also now know that large cloud service providers are starting to be certified as compliant. It’s nice to know that we don’t just have to take vendors’ word for it. We want to trust Tim Cook and others but having certified proof goes a long way: “Trust but verify”!

Posted in Data Protection, Privacy, Standards | Leave a comment

ISO/IEC 27018 – What Does It Offer?

All this week, I have been blogging about the new ISO/IEC 27018 Standard and what it means for protecting personal information in cloud-based services. So, what does the Standard actually offer?

The standard gives new, clear guidance based on EU Data Protection Authority input on how a data processor should protect customer data, including a requirement that providers must either stop mining customer data for advertising purposes, or gain explicit consent to do so. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.

Whereas other standards and processes require fast responses and repairs in order for a Service Level Agreement to remain in force, the ISO 27000-series of standards require identifying and fixing the root causes of the problems that arise. This approach is essential to the long-term information security as well as to the health of privacy-protecting cloud infrastructure.

1. Spelling out the true cost of the “free lunch” of many online services

Barely a week goes by without a new concern being raised about how cloud service providers use customer data. Nowhere is this more prominent than in the concern about use of personal data for advertising. Of course, some service providers will always find disingenuous ways to claim that the people most affected are not really their customers but just “users” – they would assert that their customers are the advertisers and that users simply consent to exchange their personal data for some “free” service.

People are rightly worried that their data is used or misused for such purposes without their express consent – only to be told, if they do decide to take up the cause, that consent is an implicit or explicit condition for use of the service.  The ISO 27018 Standard can help here – a service provider who claims compliance with the controls and best practices laid out in the Standard will only use customer data as intended for use within the particular service. They cannot use that data for additional purposes such as advertising or marketing without the customer’s express consent. Most significantly, if they comply with the ISO 27018 controls, they cannot make it a condition of use of the service that a person is effectively coerced to allow use of their personal data for advertising and marketing.  Those all-too-common, often misleading, “we value your privacy” statements will finally have to mean something.

2. Transparency and Peace of Mind

Using a cloud service provider that conforms to the controls specified in ISO 27018, will provide peace of mind to customers, confident that the provider will return, transfer, or securely dispose of any personal data at the customer’s request, and within a reasonable period of time, as required in the Standard, for customers leaving their service.

A cloud service provider may have legitimate (but still clearly defined and limited) reasons for retaining customer data – imagine you forgot to renew a cloud service subscription and everything you had patiently assembled disappeared the following day! Or they need to hold on to billing information and history for accounting purposes. But once a clearly defined retention period has passed, data will be permanently deleted and removed from those services. The customer, and all data associated with them, can be “forgotten” by the cloud service.

3. Transparency of sub-processors

It is not sufficient for a cloud service provider to not know – or pretend not to know – about what their own suppliers and contractors that also handle personal data are up to. Such sub-processors, as they are known, help service providers with data storage, processing and security. ISO 27018 requires providers to be clear about who they work with before customers enter into a contract.  If those relationships or partners change, then customers have an opportunity to object or terminate their agreement.

4. Don’t just take the provider’s word for it!

If in doubt – check it out! Customers can rely on independent third party verification that a particular supplier really is implementing the controls that ISO 27018 requires. Cloud service providers must go through a rigorous certification process by an accredited and independent certification body in order to In order to be verified as compliant. And that isn’t a one-off procedure either: providers must submit to regular, periodic review in order to maintain their certification as conformant with the standard.

5. Globally applicability

The ISO 27018 standard has taken into account public policy from around the world as it incorporates input from many regional regulators. Conform to the standard, and a cloud service provider makes the whole job of conforming to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and compliance in an increasingly cloud-based information environment.

6. Protecting against unintended consequences

The massive flows of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many providing cloud services – even if their primary business may not be the handling of sensitive or personal data. Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect even accidental or unintended release of PII.


So, in summarizing this series of posts: what to look out for…

….as a cloud service customer

It may be early days to be already asking cloud service providers to demonstrate conformance with the ISO 27018 or asking for their certification of compliance – but organizations don’t magically conform overnight and nudging a supplier in the right direction – or if you are a supplier, nudging your services to examine this – is a good move. It is already worth asking whether the specific privacy controls covered in the standard will be included in future audits of their cloud service offerings.

If these controls are to be included and the audits are completed, as a customer you should be looking to see that these new privacy controls are included as part of a contractual commitment to maintain a data security policy that complies with ISO 27001.

…and as a cloud service supplier

As a supplier, likewise – it could become a valuable differentiator for you to demonstrate such compliance or that you are using cloud service suppliers that complies.

Plan to apply the guidance in ISO/IEC 27018 to all customer data, even if you do not have visibility into the presence or absence of PII in the data that you process for customers – given the increasing complexity of data flows between cloud services and multiple types of device, it is difficult to be 100% certain that no PII is ever compromised. Better safe than sorry.

Privacy is not just a technology and engineering problem: information security and data protection can certainly be addressed with increasingly sophisticated tools and processes but privacy is a social issue with impacts well beyond the data stored and managed by cloud services. This requires that Boards look at the wider issues of harms and risks and in particular the consequences of decisions taken in their deployments of cloud services. ISO 27018 helps make that whole process clearer for all involved.

Conclusions

ISO 27018 emerged as a result of detailed feedback from, and dialogue with, privacy practitioners and regulators across the world. Organizations are faced with a simple question: do you prefer to voluntarily submit to using and following an agreed set of internationally approved standards or run the risk of further government regulation and intervention?

ISO 27018 helps customers and cloud service providers by ensuring that concrete guidance and specific controls for processing PII are addressed as part of an ISO/IEC 27001 audit. Many cloud service providers have commitments to information security management systems as defined in ISO/IEC 27001, and have thus, as part of that process, controls in data security policies that address protection of PII.

Certification against the ISO Standard on its own will not fix all privacy issues not is it in itself a guarantee of information security. Using it diligently and following the practices and guidelines recommended will however contribute to minimizing risk and improving an organization’s profile as a “good player” in the increasingly competitive world of cloud service suppliers.

ISO 27018 must be seen and used in the broader context of privacy strategy: as Trevor Hughes, CEO of the International Association of Privacy Professionals, put it recently: “Companies cannot view privacy as a compliance matter to be addressed by legal departments or a technical issue handled by IT…. “Rather, to avert public embarrassment and consumer backlash, they must set up ethical review processes and instill issue-spotting skills in employees throughout the organization.” ISO 27018 is a core component of that skill set.

Posted in Data Protection, Privacy, Standards | Tagged , | 1 Comment

Managing personal data in the cloud – assessing the risk

In the previous posts, I covered the key issues covered by the new ISO/IEC 27018 Standard; and how an organization would go about complying with it and proving that.

Today I want to look at the issue of privacy and personal information from the point of view of risk.

Business is no stranger to risk and there is no such thing as “zero risk”. Corporate governance involves assessing what, and how much, risk is considered acceptable for the enterprise in pursuit of its objectives; what controls and safeguards are in place to ensure that defined risk boundaries are not crossed; and what remedies are available if things go wrong. There should be no room in boardroom discussions for ostrich-like views that blithely assert that bad things “are just not going to happen” and that preparation is unnecessary timewasting.

Standards can help boards and C-suite executives by providing guidance to help reduce risk and exposure. The areas of personal data protection, information security, and the increased reliance on cloud computing solutions are no exception. The value of standards is that they provide widely accepted guidance on the best ways to tackle problems and reduce risk: to be able to assert that you conform to important standards – and better, to back that assertion with proof – is as good as it gets in terms of exercising mature fiduciary responsibility.

“Cloud computing” as a term is surrounded with a lot of inevitable marketing hype which itself can lead to confusion and lack of clarity at the level of a Board. The US National Institute for Technology and Standards (NIST) has the most succinct and widely adopted definition of cloud computing:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Those configurable resources can range from the complete “solutions-in-a-box” (think of the vast array of directly user-accessible services online today) to bare-bones infrastructure of servers, memory, and storage that a client (such as an enterprise) configures and deploys in line with their existing and future computing requirements).

What this means for an organization’s leadership is that different types of cloud service deployment require very different approaches to risk mitigation and problem resolution. It is not one-size-fits-all. A couple of examples highlight the possible differences:

Company A procures a cloud-based solution to manage its payroll. All the relevant company and personnel data is held by the cloud service provider and accessed by authorized staff in Company A.

Company B procures a cloud-based solution to archive encrypted historical personnel records. All the data is again held by the cloud service provider but as it is encrypted, it can only be accessed by authorized staff in Company A in possession on the appropriate decryption keys.

It would be a common sense judgment that Company A has more to consider and worry about in terms of potential privacy risks than Company B. But this doesn’t means that Company B faces no risk – they are just different risks with different potential impacts on the company. Understanding the different sorts of cloud service that are being or could be used – as well as the types of data involved – are both important in assessing which risks and privacy controls are most relevant.

The combination of different types of cloud computing infrastructure; the sheer scale of computational power and storage; the increasingly complex flows of data; and the greater use of a dizzying range of devices – together they present privacy challenges that simply did not exist even a decade ago.

An example helps illustrate this. ISO 27002 already requires information security awareness, education and training as a necessary control. ISO 27018 extends this to cover the specific privacy issues in cloud services, adding that measures are needed to make staff aware of:

“…the possible consequences on the public cloud PII processor (e.g., legal consequences, loss of business and brand or reputational damage), on the staff member (e.g., disciplinary consequences) and on the PII principal (e.g., physical, material and emotional consequences) of breaching privacy or security rules and procedures…”

A few minutes sober reflection by any fiduciary should be enough to consider the import of such measures – but also the value to the organization of complying with it and promoting such compliance as a business virtue. These are not “IT issues”. They go to the heart of good corporate governance and fiduciary responsibility. If you are on a Board or report to one, this affects you.

Tomorrow, I will look in more detail at what the ISO/IEC 27018 Standard has to offer you and those who rely on you.

Posted in Uncategorized | Leave a comment