Get your head out of the cloud. It’s time for a wake-up call on privacy compliance.
The Cloud Security Alliance (CSA) has released a code of conduct on best practices in the cloud in preparation for the General Data Protection Regulation (GDPR). And it all comes down to one thing.
Document whatever you do -- and be prepared to explain it to everyone from customers to the EU.
Specifically, the CPA advises firms to create a Statement of Adherence. This would document the services you offer (if covered), the means of adherence, the scope of adherence, and the Privacy Level Agreement (PLA) Code of Practice version you are using (there are several, going back to 2013).
Good for one year, this assurance should be signed by your legal counsel or data protection officer (DPA).
The CPA is an organization dedicated to raising awareness of best practices to ensure secure cloud computing.
A new study predicts that the cloud business email market will grow at a compound annual growth rate of 11% and hit $2.15 billion in 2023. The fastest growth will be in North America, partly because of the presence of established players like Google, Microsoft Corporation and IBM Corporation, according to
The practices specified by the CPA are similar to the rules for all data processing under the GDPR, whether the data is in the cloud or in a data warehouse. But they should be reviewed because of the explosion of cloud computing and the need to conduct due diligence of vendors, some of which may be new to the space.
"Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection,” states Francoise Gilbert, CSA lead outside counsel and PLA Working Group co-chair.
She adds that the PLA working group realized “it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation."
So what do you have to do if you are offering or using cloud services? Here is our quick read of the requirements:
There is much more. For example, you have to include your insurance information and how the customer can monitor or audit your activities. This affects all U.S. companies with European customers. You can do a deeper dive at the CSA’s GDPR Resource Center.