Data protection and privacy-related implications of a migration to the cloud – Roundtable

Participants:

David Dab, National Technology Officer Microsoft Belux
Laurent Bounameau, DPO & Cyber Security Advisor (CISO) Federal Police Belgium
Magali Feys, IP, IT & Data Protection Lawyer AContrario.Law
Bojan Spasic, Cyber Security Technology Partner Manager SWIFT
Moderator: Bruno Wattenbergh, Chairman of the EY Belgium Innovation Board Professor of Strategy & Entrepreneurship at Solvay Business School

So, your company has decided to make ICT life easier by migrating to the cloud. Easy pie, just ring a reputable cloud provider? Unfortunately, there may be some data protection and privacy hurdles to jump, as we learned at the 2021 Belgian Cyber Security Convention (BCSC).

Yes, modern cloud environments are in most cases the safest and/or most secure place, because of automation, focus on operational security and more. But…. Lawsuits as Schrems II threw a wrench in the practice of international data transfers, because of location and ownership of cloud infrastructure centers. Plenty of norms and standards insure physical reliability and more of cloud environments, but privacy-wise the (legal) debate is still going on. More specifically, users should consider cloud ‘safety’ of ‘security’ from the point of view of ‘what are my risks?’ or ‘what is the right set-up in my case?’ That fits within the inherent ‘risk-based’ nature of the European privacy law GDPR.

Does the GDPR kill off innovation as e.g. provided by cloud environments? Not quite. GDPR demands data-protection in solutions and environments ‘by design’ and ‘by default’, and to be careful when handling personal data. Provided all necessary security elements are implemented, cloud environments can provide a faster way to ISO 27001 security compliance than going for this certification on premise (e.g., by more easily keeping up with changes in systems, perimeter etc.). In short, the GDPR is a non-technical answer to a technology problem, and it’s now up to technology to continue innovating.

Innovation
Much privacy-enhancing technology is already in place, as encryption of data in transit and at rest. New developments target trust and confidentiality during processing by means of ‘computational encrypted data’ (homomorphic encryption), preventing leaks in memory. This kind of computing may be ultimately preferable to the (allowed by GDPR) technique of pseudonymization (the latter being subject of conflicting views at this roundtable). Other possibilities include processing without exchanging data, differential privacy (i.e. publicly sharing info about a dataset by describing the patterns of groups, while withholding info about individuals) and synthetic data generation (i.e. creating a subset of anonymized data). Also, more attention should be paid to the exact nature of data an application requires (e.g., an application counting people in streets for crowd control does not need actual images of the people, but only clear contours of those people).

New threats will require yet other innovations, as against attacks through machine learning (e.g. by poisoning the data set used to train the application) and AI (e.g. de-anonymization).
Actually, even privacy-enhancing technology may impact the privacy rights of a data subject. For instance, if somebody’s data has been rendered anonymized and included in a data set, it becomes impossible to enforce this person’s right that his data may not be used in machine learning.
Clearly, this roundtable presented an interesting and heady brew mix of technological and privacy concerns, going way beyond the specific subject of migration to the cloud. Well worth to be viewed again!

You can (re)watch the roundtable clicking on this link. The  recording can be found in the section 7 – Belgian Cyber Security Convention.



Nos autres articles

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Privacy Focus Group: AI and Data Protection

The second webinar of the Privacy Focus Group on the subject of ‘Artificial Intelligence’ (AI) tackles a major challenge: how to reconcile the use of AI with the demands of GDPR, particularly regarding data protection? It is still very much unknown territory for developers, users and privacy protection officers. This webinar helps you find your way!

API Security

API’s (Application Programming Interfaces) are ubiquitous and used to interconnect all our popular web applications. Without API’s, applications cannot communicate and we would simply not be able to use the majority of the current cloud and web applications. But at the same time, because of these API’s, security threats are greater than ever. API attacks are different compared to traditional attacks: they target vulnerabilities in the business logic, and hackers exploit these zero-day vulnerabilities.


Partagez ce contenu avec votre réseau :