Particularly in developing countries, where an increase in disposable income, population and access to technology, as well as investments in infrastructure and construction, will increase demand for work. However an estimated “75 million to 375 million workers (3 to 14 percent of the global workforce) will need to switch occupational categories.”
These shifts will demand that policy makers, regulators and corporate executives embrace the coming technological shift while planning ahead for the transitional strains likely to be felt by the working class.
“Which jobs will be automated first? The jobs that computers do better than humans. That sounds terrifying, but we are really removing jobs where computers do a better job and humans can move on to do more value-added jobs.” – Jorn Lyseggen, Meltwater Founder & CEO. Between almost zero and 30% of the hours worked globally could be automated by 2030.
Most important is the focus on data. “Where things can’t be automated, the data will be used to help you understand how you work and improve what you do.” This will in turn be used for performance management and will lead to human work that is increasingly more intellectually challenging.
Between almost zero and 30 percent of the hours worked globally could be automated by today’s directors are facing unprecedented challenges, demands, and expectations that amount to a new mandate for boards.
Even with automation, the demand for work and workers could increase as economies grow, partly fueled by productivity growth enabled by technological progress.” – from the McKinsey report “What the future of work will mean for jobs, skills, and wages.
Particularly in developing countries, where an increase in disposable income, population and access to technology, as well as investments in infrastructure and construction, will increase demand for work. However an estimated “75 million to 375 million workers (3 to 14 percent of the global workforce) will need to switch occupational categories.
These shifts will demand that policy makers, regulators and corporate executives embrace the coming technological shift while planning ahead for the transitional strains likely to be felt by the working class.
When you contract with a cloud provider irrespective of whether you are a controller, or a processor consider the following for inclusion within the contract. Many cloud contracts present challenges especially where the provider is large and you as an organisation are small. Negotiation power generally diminishes, and many providers want to work under their own terms. Consider this from beginning of the relationship and do not be afraid to walk away if the providers stance or terms are too onerous.
- The nature of the processing relationship. Are you the controller, is the provider a processor? Are they a controller? Is there any kind of joint controllership? Many contracts reflect a controller to processor relationship. This may be true or only partially true as the cloud provider may be processing your data for other purposes. For example, analytics. Make sure that you evaluate and agree the exact nature of the relationship at the onset and that this is reflected in the contract.
- When you have defined your relationship, ensure that you agree the type of data that is being processed. If it is business or personal data, it is prudent to define the type of data being processed and the categories of data that are covered by the processing operation. If it is a clear relationship where you are the controller and the cloud provider is the processor, the contract must be clear. If the cloud provider has any kind of controller relationship around your data, you must agree explicitly what they can and cannot do with the data. It is your data and it has a value to you.
- Consider the nature and purpose of the processing. For example, are you processing personal data on a Human Resources system, hosted as SaaS in the cloud? If so then you may also be processing sensitive personal data. That will affect the contract as additional security controls and contract mechanisms are likely required.
- If you control the data, what are your obligations and rights to the data as a controller? Remember that most data protection legislation requires the controller of the data to report issues such as a breach. Be clear within the terms of the contract around what you expect your processor to do and what you as a controller will do and under what circumstances.
- Do not assume that your cloud provider is compliant with the GDPR and other privacy legislation. You will need to asses compliance and need evidence of this. Be aware that even though the supplier may have many certificates that show a degree of maturity in security and compliance, work still needs to be done and specifics agreed. For example, you will need to agree where the data is going to be hosted (via a contract data transfer mechanism or geolocation restrictions when you chose services). You will also need to agree how data breach is handled so that you can build the supplier processes into your own breach response plan.
A Journal Of Law and Policy studies show privacy policies are hard to read, read in frequently, and do not support rational decision making.
We estimate that reading privacy policies carries costs in time of approximately 201 hours a year, worth about $3,534 annually per American Internet user. Nationally, if Americans were to read online privacy policies word-for-word, we estimate the value of time lost as about $781 billion annually. These estimates presume that people visit sites, read the policies once a year, and then carry on their business as before.
The current policy decisions surrounding online privacy suggest that Internet users should give up an estimated $781 billion of their time to protect themselves from an industry worth substantially less. This is not to say online advertising should be banned. Sales from direct mail are approximately an order of magnitude higher than advertising costs and the cost of online advertisements similarly understates the full market. But it appears the balance between the costs borne by Internet users versus the benefits of targeted ads for industry is out of kilter.
Finally, some corporations take the view that their users should read privacy policies and if they fail to do so, it is evidence of lack of concern about privacy. Instead, we counter that websites need to do a better job of conveying their practices in useable ways, which includes reducing the time it takes to read policies. If corporations cannot do so, regulation may be necessary to provide basic privacy protections. Disclosure legislation may be insufficient: adding more text to policies that most consumers do not read does increase transparency, but may otherwise be of limited practical utility.
Privacy, is about clashing interests and values, and about the difficult task of choosing among them. Privacy rules nearly always burden some stakeholders while benefiting others. The rules describe how privacy ought to function. Privacy determines who ought to be able to access, use, and alter information. It justifies these choices with reference to larger values—values that compete for priority and attention. Security implements that set of choices.
Security, by contrast, describes how privacy does function Security implements privacy’s choices. Security determines who actually can access, use, and alter data.
Security, therefore, is the interface layer between information and privacy. It mediates privacy rights, putting them into effect. Security is the bridge between data and those who consume it. Security is agnostic about how privacy rules dictate selection of who may interact with data.
Informally, there are two interactions between security and privacy. 1) law and code, 2) interaction where the security precautions to be taken.
In terms of Law and code; privacy theories will generate development of technologies that make their implementation possible. For example; systems where data has a temporally defined existence, such as with Vanish’s self-destructing documents, make it possible to envision privacy models where data transfers are of limited duration rather than complete transfers.
With regard to security precautions to be taken; privacy will dictate te level of security precautions. For example regulation of medical records may require that only those treating a patient or covering her care via insurance have the capability to access her protected health information. However, a hospital may put in place a security mechanism that fails to enforce this mandate—or, at least, fails to do so rigorously. The hospital may do so innocently or deliberate.
Security and privacy can, and should, be treated as distinct concerns.
Cloud computing is transforming business by making available services that were previously costly, difficult to manage and implement. Cloud computing brings many benefits, but it is not without its risks.
There are lots of things to consider when buying cloud services. Issues to explore include cloud security, services provided, supplier management and regulatory compliance with applicable laws.
Key risks and issues:
Cloud Security : Most cloud providers work on a shared responsibility model. When it comes to security, cloud providers are no more or no less secure than traditional data centres. When looking at security, make sure that you understand your responsibilities around security and that this is shown in the contract.
Cloud providers are subject to the GDPR if they process any EU personal data. This means that they must have appropriate security and be able to demonstrate this. When looking at cloud services review their processes, certifications and attestations to determine what standards they meet, the scope of coverage and how robust their measures are. The CCPA requires reasonable security practices. This is subjective so a review against international standards or best practice is advisable as this is legal defensible.
Compliance : The cloud supplier is subject to applicable law if they process data. In the EU this is not only the GDPR but the NIS Directive. If processing the data of Californian Residents, then the supplier may be subject to the CCPA as well. Make sure that you understand what other applicable laws the provider complies with and how it affects your compliance stance. For example, the cloud provider may be a service provider under the CCPA (typical of some SaaS products) and therefore you need to ensure that your contract with them reflects this relationship.
Controller or Processor Relationship : Who is the data controller and who is the data processor? In many cases it may not be straightforward. For example, the service provider may sample the data you provide for analytical purposes. In this case they may be a controller of your data for this activity. Your contract needs to be specific and the relationships clear within the contract. If not, there could be liabilities that you may be subject to but not aware of. There are also pass through obligations that need to factor. For example; in the EU there is the right to be forgotten and under the CCPA the right to deletion. If the relationship between controller and processor is not clear, then when these rights are exercised, data could be kept, leaving parties open to a fine.
Data Transfer : Where does the cloud service provider process your data? You need to understand this and have guarantees that the data will not be exported out of the EU without the appropriate mechanisms in place. These could be Data Transfer Agreements, EU-US Privacy Shield or Binding Corporate Rules. If no agreement exists or if the appropriate exemption is not in place, then processing is unlawful, and it is a breach of the GDPR. When factoring data transfer, also look at your customer contracts as you may need consent to export or if your customers are in certain industries, data export may need their contractual permission also. Consider data deletion also. If you do not know where it resides, then deletion could be difficult if not impossible. This would be a breach of the GDPR and CCPA if a consumer requested their data to be deleted and you were unable to do so.
Resilience : Cloud services are not always resilient so consider business continuity and disaster recovery. Do not assume that the service will always be there and consider availability under the service contract and what contingency measures you can put in place to continue if the cloud service fails. Under normal conditions data residency may be in the EU but under failover conditions, it may be outside of the EU. This also needs to be considered when looking at resilience as you may not be aware of the failover and could be in breach of the GDPR or customer contracts without knowing it. Although the CCPA is not specific in its requirements around resilience, you still need to be identify where your data is under failover conditions as there could be a need to delete it
Data Breach Response : The responsibilities and actions taken to report and manage a data breach need to be clear and explicit within the cloud contract. Contact details, response times, assistance and who can be informed / involved need to factor. Some providers limit who can be involved in a breach situation and this can affect your investigations and subsequent liabilities. Moreover, many contracts give generic responsibilities and statements such as they will notify within forty-eight hours of becoming aware of a breach. This is fine but who will they notify and if you have forty-eight hours to report a breach (seventy-two hours for regulators in the EU), then how does this affect you? What about preservation of evidence and forensic investigations? Your own data breach response needs to factor your suppliers, their approach and joint working. This then needs to be reflected in the contract. If you are involving third parties such as forensic investigators, these may need to be agreed in advance so knowing who they are and having a contract in place with the third party is beneficial.
Indemnities and Insurance : Cloud providers typically try and limit their liabilities in the event of a data breach or non-compliance. You need to consider the extent of their liabilities and yours and any legal recourse as you could be exposed to costs that can only be recovered by further litigation. Check the service providers insurance and yours to see the extent of coverage. There will be gaps that you need to factor in your risk register going forwards. Provisions may also need to be made as a breach could affect cash flow as well as ongoing expenses. Cyber Security Insurance coverage will only go so far.
Supplier Management and Ongoing Surveillance : To be compliant you need to be able to evidence that you have the appropriate contracts in place and that you have completed due diligence. If you sign a three year contract for services, it is very likely that the certification and compliance measurements that you initially assessed will expire or change. To be evidentially compliant with the GDPR and the CCPA (to demonstrate reasonable security), you need to review and assess regularly. This means that any standards or certificates that have been provided by the supplier will need to be re-assessed when they are renewed. For SOC2 this is generally every six months and for ISO27001 it is generally every twelve months. Article 24 of the GDPR requires a demonstration that processing is performed in accordance with the regulation. If you do not regularly review your suppliers and have an ongoing surveillance program, you are unable to demonstrate compliance and therefore you are not going ot be in a legally defensible position should a regulator come calling.
Article 28 is a game changer as previous data protection regulations made the controller accountable for data, there was limited recourse with processors. Now controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. This means that a contract needs to be in place with your data processors and any third parties that they may engage on your behalf. As a company, you can no longer just renew a purchase order for any services involving any form of personal data transfer without considering GDPR compliance.
You Need a Written Contract
You need written a contract with your supplier and you need to do your homework to find out if they are compliant. You need to proactively check their security, privacy and contracts to be assured that they are actively following the requirements of the GDPR. The contract must clearly describe the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, the obligations and rights of the controller. Simply put, what data you are processing and why, what people are affected, who is the controller and the boundaries between the controller and processor, defining who does what and when. This requirement not only exists with your supplier but their suppliers too if they provide any services that involve you too.
You Must Validate Supplier Security Measures
Your supplier must take all measures required pursuant to Article 32. This means that they must have the appropriate security policies, processes and systems in place to protect your data. The supplier must be able to evidence and demonstrate that their security is adequate. This can be challenging as security can sometimes be difficult to measure. Look at any certifications, standards and attestations they may have. For example, ISO27001 will have a statement of applicability and numerous policies associated with it. A third-party auditor will also have reviewed these to award certification. If they do not have any certifications, then they should have policies and penetration testing results if they host any kind of service. If your supplier is unwilling to share any policies, processes or certification then it is recommended that you do not do business with them as you have liabilities as well as your supplier.
Suppliers Need to be Managed
Many organisations make the mistake of signing a contract and then not actively managing their suppliers going forwards. It is not good enough to “check and forget” You must review your suppliers regularly for compliance. This means assessing their security and privacy measures at least once a year or more frequently. The GDPR requires a demonstration of compliance with the obligations laid down in Article 28.
Supply Chain Relationships are Complex
The advent of cloud computing has brought many benefits to businesses and today cloud adoption is on the increase as many actual or perceived barriers have been reduced or overcome. The impact of this is profound as it has increased the number of possible parties involved in a supplier relationship. Many suppliers now have fourth and fifth or more parties involved, and they need to be reviewed and managed too. An example of this is a supplier who outsources some of their business to a different supplier who is a fourth party. If this supplier then outsources some of their processing to another party, then that party is a fifth party. These suppliers need to be managed within the supply chain and their processes and policies need to be reviewed and included in your supplier management strategy. The same data protection obligations as set out in the contract with your supplier must carry through to other parties if they are part of the supply chain. Moreover, if the fourth or fifth party have security measures, do not assume that the third party who you have initially contracted with is secure if they use their fourth or fifth parties’ certifications as evidence of their own compliance. These certifications will only cover the services provided by the fourth or fifth party and not the supplier you are engaging with. They need their own policies, processes and certification to prove that their security is adequate.
Know Where Your Data is Held
Article 28 requires the processor at the choice of the controller to delete or return all the personal data to the controller after the end of the provision of services relating to processing and deletes existing copies unless required to do so by law. There is also a provision within Article 28 that requires that the processing of data including with regard to transfers of personal data to a third country or an international organisation, only takes place on documented instructions. If you do not know who is processing your data and where it is being processed, you cannot comply with these two provisions. Many companies, particularly if they are cloud service providers, disclose their sub processors via a website. They may give an option for you to refuse a sub processor but you need to check their website and raise an objection to the proposed processor if their vendor list changes. This is non-compliant with the GDPR but common practice. You therefore need to baseline and agree any sub processors at the time of contracting and put in place a contractual or a surveillance mechanism to ensure that you know where your data is being processed and by who. You also need to ensure that the Data Transfer Agreement you have in place reflects the processing operations being undertaken by the suppliers sub processor and that the contract they have with the supplier is GDPR compliant.