![](\"http:\/\/zapt3.staticworld.net\/images\/article\/2015\/06\/privacy-100589527-primary.idge.jpg\"\/)
<\/p>\n
Credit to Author: Evan Schuman| Date: Tue, 16 May 2017 04:00:00 -0700<\/strong><\/p>\n When most IT execs hear the term \u201ccorporate privacy policy,\u201d they think about what their company promises its consumer customers in policies such as those from LinkedIn<\/a>,\u00a0Uber<\/a>\u00a0and\u00a0Evernote<\/a>. But what about policies in contracts entered into with businesses that will handle data from or about your company? Those are rare, and that is a massive security hole.<\/p>\n Let\u2019s start with the low-hanging fruit. Think about the various Android and iOS devices your employees use. The devices constantly monitor their users. And I mean constantly. It used to be that users could go private by entering airplane mode and making sure that Wi-Fi was deactivated.<\/p>\n At least on iOS \u2014 thanks, Apple! \u2014 no more. With a recent OS upgrade, my iPhone now reacts with a \u201cSiri not available\u201d whenever my phone is in airplane mode and off of Wi-Fi and I say the magic \u201cHey, Siri\u201d phrase. That means that Siri, though unable to access its databases, is still listening, or it wouldn\u2019t know to say that.<\/p>\n If you purchased your employees\u2019 smartphones, did you include in the purchase agreement any privacy rules? Is your company willing to pass on devices that don\u2019t comply? If enterprises across the U.S. started insisting on privacy limits, I\u2019d put serious money on the prospect that we\u2019d see changes quickly.<\/p>\n This issue extends beyond smartphones. There\u2019s also the cloud. Do your contracts with cloud vendors include language limiting what they can do with the highly sensitive data they will be able to access?<\/p>\n Contrast that with the typical employment agreement, which these days is likely to require that all confidential material be protected unto the grave and five years beyond. Meanwhile, most B2B contracts do more to protect the confidentiality of the contract itself than the boatloads of sensitive data the contracting party is about to turn over.<\/p>\n This is critical because, with the FCC rolling back privacy protections under the Trump administration, companies are on their own when it comes to protecting their data confidentiality, to an extent greater than even a year ago. Some municipalities are\u00a0establishing their own privacy rules<\/a>, but their focus is squarely on protecting their consumer citizens, not businesses.<\/p>\n Then there are the privacy implications of dealing with companies in other countries. Before we delve into the privacy issues with companies that are based in other countries, don\u2019t forget the basic data sovereignty issues with cloud companies that move their data \u2014 by which I mean\u00a0your\u00a0<\/em>data \u2014 around from server farm to server farm in lots of different global locations. Every time the data shifts countries, the inherent protections (assuming that local government insists on any) change. That\u2019s why your direct agreement with that cloud (or what have you) company must be explicit and international.<\/p>\n No company can ignore the European Union\u2019s General Data Protection Regulation (GDPR) rules, which are slated to go into full effect next year. (I just did a fairly\u00a0deep dive into GDPR implications<\/a>.) Those rules may be focused on consumers, but they will immediately ripple into corporate data concerns as well.<\/p>\n By the way, GDPR will directly impact companies even if they have no customers or employees in EU countries. In short, GDPR will force you to be far more concerned about where your data is housed and the intimate details of how every partner of yours functions. The operations of very few Fortune 1000 companies don\u2019t touch anyone with EU ties, even second-hand ties.<\/p>\n This is how GDPR will impact your B2B data privacy issues. It focuses on protecting data for consumers, but your employees are, in the eyes of the EU, consumers. It doesn\u2019t matter if the data involved comes directly from employers.<\/p>\n GDPR will force you to handle your data in a more stringent and documented way. Your GDPR preparations are the perfect opportunity for you to redo all of supplier\/contractor\/distributor\/cloud agreements. Put bluntly, use the cover of GDPR to better protect your corporate privacy.<\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Evan Schuman| Date: Tue, 16 May 2017 04:00:00 -0700<\/strong><\/p>\n When most IT execs hear the term \u201ccorporate privacy policy,\u201d they think about what their company promises its consumer customers in policies such as those from LinkedIn<\/a>,\u00a0Uber<\/a>\u00a0and\u00a0Evernote<\/a>. But what about policies in contracts entered into with businesses that will handle data from or about your company? Those are rare, and that is a massive security hole.<\/p>\n<\/p>\n