Cloud Formation: Best Practices For Computing Way Up There

Get your head out of the cloud. It’s time for a wake-up call on privacy compliance.

The Cloud Security Alliance (CSA) has released a code of conduct on best practices in the cloud in preparation for the General Data Protection Regulation (GDPR). And it all comes down to one thing.

Document whatever you do -- and be prepared to explain it to everyone from customers to the EU.

Specifically, the CPA advises firms to create a Statement of Adherence. This would document the services you offer (if covered), the means of adherence, the scope of adherence, and the Privacy Level Agreement (PLA) Code of Practice version you are using (there are several, going back to 2013).

Good for one year, this assurance should be signed by your legal counsel or data protection officer (DPA).

The CPA is an organization dedicated to raising awareness of best practices to ensure secure cloud computing.

A new study predicts that the cloud business email market will grow at a compound annual growth rate of 11% and hit $2.15 billion in 2023. The fastest growth will be in North America, partly because of the presence of established players like Google, Microsoft Corporation and IBM Corporation, according to



The practices specified by the CPA are similar to the rules for all data processing under the GDPR, whether the data is in the cloud or in a data warehouse. But they should be reviewed because of the explosion of cloud computing and the need to conduct due diligence of vendors, some of which may be new to the space.  

"Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection,” states Francoise Gilbert, CSA lead outside counsel and PLA Working Group co-chair. 

She adds that the PLA working group realized “it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation."

So what do you have to do if you are offering or using cloud services? Here is our quick read of the requirements:

  • Fair and transparent processing of personal data — Be ready to tell the public and data subjects the categories of personal data being processed, the purposes of the processing and the recipients of the data. You also have to identify sub-contractors and sub-processors.
  • Exercise of data subjects' rights — Be sure you are using the data only for the purposes specified, and that you reveal the methods used for deleting data.
  • Notification of personal data breaches to supervisory authorities — Be prepared to say how and when the customer will be informed of personal data breaches when the data is processed by the CSP and/or subcontractors. Also, explain the nature of the breach, the number of records affected and the likely consequences.
  • Rules on transfer of personal data to third countries — Document the third country or international organization, and suitable safeguards.

There is much more. For example, you have to include your insurance information and how the customer can monitor or audit your activities. This affects all U.S. companies with European customers. You can do a deeper dive at the CSA’s GDPR Resource Center

Next story loading loading..