Holding Your Ears is not an Effective Strategy

Closing your eyes and holding your ears is considered an effective IT strategy. At least here in Denmark, where the Danish public schools have been ignoring European data privacy regulations. With much hand-wringing, they are now scrambling to replace their Google Chromebooks as the new school year starts.

The 2020 Schrems II judgment from the European Court of Justice said that because all data passed to American providers end up in the databases of the NSA, you are not allowed to store personal information with American cloud providers. Nevertheless, Danish schools kept using Google services. The Danish Data Protection Agency (DPA) has finally told them to stop.

The people at the coalface in your organization know where corners are being cut. But there are several layers of management between the people who know and the CIO and CTO who will be fired once the problem explodes. So if you are in an IT leadership position, how are you ensuring that you hear about questionable practices in your organization?

The Regulators are Coming

The Chinese are willing to bring the hammer down. The Americans and the Europeans, not so much. Draconian fines are theoretically possible for data privacy violations in the EU, California, and elsewhere in the West but are not imposed. In China, on the other hand, ride-hailing giant DiDi was hit with a $1.2 billion fine, close to the cap of 5% of annual revenue. Not that DiDi didn’t deserve it – regulators have identified 64 BILLION separate data collection violations.

Are you still looking at the puny fines handed out to everybody who is not a vilified American tech giant? Sooner or later, the regulators will start using their power. So you might as well get on top of any problematic data collection habits now.

Cloud Services Leak Your Data

Big Brother is watching what you write. Chinese users working on the local equivalent of Google Docs discovered that there are some things you can’t write. An author was locked out of the novel she was writing, with the system telling her that she was trying to access “sensitive content.” It didn’t matter that she wrote herself.

Of course, Google would never lock you out of your Docs or Sheets. And they claim they don’t look at your documents to sell you ads, though plenty of users report spooky coincidences. The default setting in Microsoft producs is to enable “Connected Experiences.” That means your content is being sent to Microsoft servers for analysis. Microsoft claims no human looks at it.

Do you have guidelines and technical measures in place to prevent sensitive data leaking out of your organization through cloud services?

Beware of Data Collectors

The days of untrammelled data collection “for the common good” might be ending. At least the watchdogs are yapping a little louder, as a new court case in London shows. The British National Health Service apparently has a contract with secretive American data analyst company Palantir, and they are being sued by a private privacy watchdog.

I would probably not choose to name my company after the device with which the dark lord Sauron subverted the wizard Saruman. However, the Lord of the Rings reference is obviously lost on investors, who value Palanatir at around $50 billion even though they have yet to make money.

As a CIO, you need to know where your data goes. If you have third parties analyzing them, you need to have someone make an independent assessment of whether you can expect your data to be safe with them. You need to balance the reward against the reputational risk if you are found cooperating with shady operators.