The organization should understand that when it engages a service provider to process personal information, the organization remains responsible for that service provider’s compliance with the organization’s privacy obligations. Among other things, that means that the organization is required to use contractual or other means to provide a comparable level of protection while the third party is processing the personal information.
Understanding compliance obligations
A good starting point is for the organization to assess and understand its own compliance obligations. In addition to the mandatory privacy and security obligations under private sector privacy law, the organization may be subject to other regulatory obligations. For example, certain financial institutions may also be subject to regulatory guidelines established by the Office of the Superintendent of Financial Institutions.
“Proactive steps are to use data encryption shared with the service provider, and also limiting the amount of information collected in the first place.”
Once an organization understands the obligations it must meet, it can then do due diligence on the cloud service provider to ensure that the provider’s practices will be sufficient for the organization.
The organization should also assess its measures for handling a data breach. Proactive steps are to use data encryption shared with the service provider, and also limiting the amount of information collected in the first place. Other proactive steps are for the organization to understand its data breach reporting obligations.
A well-prepared organization will plan in advance for a data breach by having prepared all of the governance, decision making, and investigative resources needed to quickly respond to an incident.
Customers and the public see organizations who are ready in advance as more proactive and privacy-savvy. Those prompt reactions to a data breach can enhance the trust that customers and the public place in the organization.