Privacy compliance can be costly and difficult. Part of the fault lies with software makers and services providers. For too long, privacy has been an afterthought and the cost of not taking privacy into account results in customers having to spend more money than they otherwise would have (or, that software makers and services providers would have had they incorporated customer privacy concerns at the design phase.
Let’s take cloud computing as an example. If you are a potential customer in Europe you probably don’t have any idea where to start to ensure that the cloud computing solution you are evaluating is compliant with privacy laws. You will meet with your vendor get a vague description of the controls, get an idea of what the international data flows are- if you are very lucky, and then have the pleasure of taking this information to the regulator to try an obtain approval for to transfer your customers’ data internationally. All the while, you are spending money on consultants and lawyers and taking your compliance, risk and in-house counsel away from their day jobs. You spend weeks back and forth between the provider and the regulator with you in the middle as the go-between. Your cloud provider pushes back stating that they can’t fine tune their processes, because then they would have to do that for everyone. The provider can’t offer you a local solution because they have a follow the sun operating and/or support model. If they do offer you a local solution, you don’t end up saving any money because now the provider has to keep a captured outsourcing center within Europe and its expensive labor market. You are left wondering why you even bothered to go down this road in the first place. All the while your costs are adding up. (I won’t even go into the contractual issues where the model clauses can clash with some providers’ extreme disclaiming of liability.)
Now, let’s give an alternative scenario. Your cloud provider attaches a schedule to the proposed contract detailing the international data flows including the data that flows to the support locations if they are different from the database centers. A second schedule details the technical controls in place to keep your data secure as well as the internal controls that ensure the proper organizational measures (e.g., training, processes to prevent social engineering). Your cloud provider has done the hard work of creating strong controls and a governance model to monitor and provide evidence of control effectiveness. A third schedule contains a third-party auditor’s certification. The provider’s account manager has a defined process for working with its privacy team to assist you in obtaining approval from your regulator. The provider agrees to refresh the schedules on an annual basis. As an added bonus, you receive another document format slightly differently, designed to be attached to your application for approval from the regulator. Independent of its relationship with you, your cloud provider takes a proactive approach and builds independent relationships with the relevant regulators.
This is not a posting on cloud computing. Substitute any product or service for cloud computing above. It is a posting on how we can no longer pass the costs of privacy to customers. Clients don’t have the resources. Providers can assist in compliance because it’s cheaper do economies of scale and their expertise and compliance and privacy. It’s a real competitive differentiator and customers are demanding it.