Originally published by New Context.
Data portability is a core component of several recent data privacy laws that affect businesses around the world. According to data portability regulations, your customers have the right to access any personal information that you’ve collected or processed about them, and they can transfer that data to another provider in a common, machine-readable format like CSV or XML. You’re also responsible for protecting the privacy and security of that data, both while it’s in your possession and while you’re in the process of transferring it off of your infrastructure.
Data portability has introduced some interesting challenges, especially when it comes to cloud computing and security. While you’re responsible for keeping your customers’ cloud data secure, your security measures can’t interfere with a user’s ability to access and transfer that data. Balancing security and mobility is crucial for your business to maintain data portability in cloud computing.
Regulations Covering Data Portability in Cloud Computing
Worldwide, there are many laws and regulations pertaining to cloud data portability and privacy. Two of the most prevalent pieces of legislation are the General Data Protection Regulation in the EU and the California Consumer Privacy Act in the US.
General Data Protection Regulation (GDPR)
The GDPR was implemented in 2018 and covers the personal data of any individuals residing in the European Economic Area. This means that, even if your business is located elsewhere, you must comply with the GDPR if any of the personal data you manage pertains to a user in the European Union. Under this legislation, consumers have the right to obtain any of their personal data in a commonly used, machine-readable format within 30 days of making a data subject access request, or DSAR. If you receive a DSAR, you must verify the identity of the user making the request, and then ensure the security of their personal data until it has been fully transferred off your systems.
California Consumer Privacy Act (CCPA)
The CCPA was also enacted in 2018 and pertains to any companies doing business in California or processing the data of individuals living in California. Like the GDPR, the CCPA outlines the process a customer can follow to request their personal data. If your company is subject to the CCPA, you have 45 days to provide this data, and you must also verify the customer’s identity first and follow security protocols for protecting that data in transit.
There are other region-specific data portability and privacy regulations that your company may have to follow if you do business outside of the U.S. or process data for individuals in other countries. India, Brazil, and Kenya are examples of other jurisdictions with data portability laws, and many more have similar laws currently in the works, including Canada and Australia.
Data Portability in Cloud Computing Security Protocols
While you must ensure your company responds to DSARs as quickly as possible, you can’t neglect the security of your cloud services. Keeping your clients’ cloud data secure while staying compliant with data portability regulations requires a combination of access controls, data governance, encryption, and monitoring.
In addition to the security controls you put in place to prevent unauthorized access to data on your cloud infrastructure, you need to ensure you have a process in place for verifying the identity of a user who makes a DSAR. This is a requirement of both the GDPR and CCPA, but both laws give companies some flexibility to choose their own identity verification and access control methods. The GDPR specifically requires that you use a verification method that proves a user’s identity through knowledge, possession, or inherence.
- Knowledge Verification: Asking a security question that only the individual would know, such as their mother’s middle name or the hospital they were born in.
- Possession Verification: Using a device only the individual would have access to, such as their cell phone, to request verification. This is best managed through multifactor authentication (MFA) devices or apps.
- Inherence Verification: Using something that’s inherently part of an individual, such as their fingerprint or retinal scan, to prove their identity.
Given the limited timeframe you have to provide data in response to a DSAR, you need to ensure you’re able to find that data quickly, and that the data you provide is complete. Accidentally missing some personal data that’s residing in an unexpected place could open your business up to liability. This is why cloud data classification and mapping software is crucial for maintaining data portability in cloud computing. You can use these tools to locate your data, tag it according to its sensitivity and classifications, and easily retrieve it as needed.
As mentioned above, all data portability regulations require that your company maintains the security of personal data as it’s being transferred off your cloud servers or platform. The exact encryption methods you need to use will depend on the type of data being transferred and the applicable data portability and privacy regulations. For example, if your user’s data falls under HIPAA (Healthcare Information Portability and Accountability Act) or PCI/DSS (Payment Card Industry Data Security Standard) laws as well as GDPR or CCPA, you may need to use specific security and encryption measures.
In addition to securing cloud data as it’s in transit, most data portability laws require that you maintain that data’s integrity as well. This means you need to verify that the data has not been altered or tampered with, either by mistake or by a malicious actor. The only real way to ensure data integrity is through robust data monitoring. Using cloud monitoring tools will allow you to see every person who accessed or changed a file while it was in your possession and in transit, so you can spot irregularities or fix any issues before that data leaves your cloud systems.
As you implement cloud data portability and security protocols, it’s important to keep your specific laws and regulations in mind at every step of the process. You may need a compliance expert on staff to ensure none of your policies or controls interfere with data portability or privacy standards. Or, you can partner with the experts at New Context to develop a data portability in cloud computing plan that addresses all of your unique regulatory challenges.