So, the next one's a tough one, okay? And I'll let people read it, but I'll summarise it as you're reading. A lot of people focus on the cloud providers. The majority of public cloud infrastructure providers are, in fact, US companies. And people rely on them. How do you, therefore, when you can't control what they're doing have it so that they comply? And this is critically important and I do want to comment when you join the LinkedIn Group, please go down and read prior posts. There are also prior webinars. There are prior FAQs. It's very feature-rich. Because this is a question that actually had a lot of attention in a prior webinar, but I think it would be good to get the reaction of today's panelists on this. And then, I'll obviously jump in as well. But, Gabriela, do you have any particular thoughts?

Gabriela Zanfir-Fortuna (FPF)
Oh, no, I'm so sorry. I was just replying to someone about the new SCCs. And then, I have to apologise. I really need to go.

Gary LaFever (Anonos)
Gabriela, thank you so much for coming. I do understand. And I ask everyone to give applause but no one will hear. So, thank you Gabriela for coming. And if Maggie can stay for a while, we will do so. And look, the new SCCs are very critical. But bear in mind, just like the car driving over the cliff, they by themselves are not enough. You need to pair those with technical controls. Thank you, Gabriela. Thank you very much.

Gabriela Zanfir-Fortuna (FPF)
Thank you very much, Gary and Maggie. It was a pleasure being here today with you. And thank you to all of the attendees for their attention.

Gary LaFever (Anonos)
Thank you, Gabriela.

Magali Feys (Anonos)
Thank you.

Gary LaFever (Anonos)
So, Maggie, do you have any particular perspective on this?

Magali Feys (Anonos)
Because I was also reading the question, I think that goes back to also the trust there and it goes back to your chocolate teapot there, which I didn't know what it meant either. It’s the fact that you will now also see in contracts in, for example, governmental projects, that they will really require you to comply and we already had supervisory authorities - the Flemish one saying that if you use US cloud that you can't use it without the supplementary measures and that they want to see it. And so, of course, the government is looking at now their providers to make sure that they also comply. So, I think, at a certain point, and we have also seen that with GDPR and it took a little bit a while, but it became really something in the negotiation and the sales process. So, if you really think that it's only a chocolate teapot, I really disagree because I think it will affect the business as it will become really obligations that you have to meet or otherwise will face liability towards that. And on the other hand, we see that more and more like the ISO 27700 certification is really also looking to GDPR compliancy. We once had a project in that and it was also asked: “What are your Schrems II compliance and additional safeguards?” And if you then have that certification, it really helps. So, I really think that it's a process that people have to grasp what Schrems II is. That ball is rolling. We had snow in Belgium, which is very particular. But that snowball is rolling and it's coming and I think it will have its triple effect to all the subprocesses and the processes.

Gary LaFever (Anonos)
And so, specifically on this, one of the visuals I used previously was actually the example of how this could be resolved. You can pseudonymise data using heightened requirements for GDPR Pseudonymisation, submit the Pseudonymised data for the advanced processing, AI, ML, etc., in the cloud, get the results back but actually do the relinking to identity in the EU or by an equivalency country or an EEA country. So, there are ways to do this. But if you think of it, there's a shared responsibility model with cloud providers, and all the cloud providers are saying: “We have SCCs. We have new SCCs.” And it's true. But you have always been responsible for the lawfulness of the data that you submit to the cloud. And so, in essence, it's your responsibility and you can do something about it by Pseudonymising the data that is sent. And if you remember the diamond, we in our experience, 98% of the processing can be handled with pseudonymised data. So, then you have just the edge cases, the 2%, which the derogations may well be able to support. So, that would be my recommendation as you look at GDPR Pseudonymisation within the cloud because then you're not dependent on the cloud providers, you have put the protections in place, and you know you're in compliance.