When you cut through the buzzwords, says privacist John Wunderlich, CIPP/C, the “cloud” isn’t much of a new concept. “What’s old is new again,” says the head of privacy consultancy Wunderlich & Associates. “You’re outsourcing to a provider who has expertise that you don’t have.”
Sure, you need to make sure you’ve got the proper contracts in place with that new provider—David Young, partner at McMillan LLP and Wunderlich’s co-presenter for their presentation “Finding Clarity in the Cloud” at the IAPP Canada Privacy Symposium, will focus on that piece of the puzzle—but, operationally, things shouldn’t be all that different from working with your other vendors.
For example, “If you’re good at it yourself, you shouldn’t outsource it,” he says. “Don’t outsource your core competencies…Understanding why you want to go there is step one. If it’s just because everyone else is doing it, that makes you a sheep ready for shearing.”
As for the privacy angle, “You cannot outsource accountability,” Wunderlich emphasizes. “I don’t care if you think you’re outsourcing privacy or security or payroll…you’re still accountable for everything you were accountable for before… They’re responsible for what you’re accountable for.”
That’s why, he said, it’s important to have metrics you can monitor to understand what should set off alarm bells. “Governance without metrics is just dogma,” he says. “Governance with metrics is risk management. At the end of the day, it’s a risk management equation. If you don’t have metrics to tell you something meaningful, then it’s not a business process, and privacy has to be a business process.”
For example, “Say you’re using [an online customer relationship management system], well, how many times has that customer file been opened and by whom? A good leading indicator,” Wunderlich offers, “is, if someone opens a customer file, does that match to an inbound call from that client? If not, why are you opening that customer’s file?…If you’ve got a nice advanced system, these things are possible. Maybe there’s a valid answer: ‘Another customer wanted to do something and I wanted to set it up the same way.’ That’s a fair answer, but you want to know that that happened, right?”
Another common confusion deals with consent. “The illusion is that you need consent for everything,” Wunderlich says, but, “if you’re using a service provider, because the accountability doesn’t transfer, you don’t need to re-consent just to use a different methodology to deal with the data.”
Just because you’re moving a file from an Excel format on your hard drive to a Google Docs spreadsheet in the cloud doesn’t mean you have to get consent again. However, “you are accountable for making sure that Google docs is set up in a certain way so that you don’t increase exposure—and that’s why you need all the contract knowledge.”
Want to hear more about that? Well, there’s a presentation in Toronto you might want to catch.
John Wunderlich, CIPP/C, Privacist, John Wunderlich & Associates, and David Young, Partner, McMillan LLP, present “Finding Clarity in the Cloud,” as part of IAPP Canada Privacy Symposium, May 22-24, in Toronto.