Get your head out of the cloud. It’s time for a wake-up call on privacy compliance.
The Cloud Security Alliance (CSA) has released a code of conduct on best practices in the cloud in
preparation for the General Data Protection Regulation (GDPR). And it all comes down to one thing.
Document whatever you do -- and be prepared to explain it to everyone from customers to the
EU.
Specifically, the CPA advises firms to create a Statement of Adherence. This would document the services you offer (if covered), the means of adherence, the scope of adherence, and the
Privacy Level Agreement (PLA) Code of Practice version you are using (there are several, going back to 2013).
Good for one year, this assurance should be signed by your legal counsel or data
protection officer (DPA).
The CPA is an organization dedicated to raising awareness of best practices to ensure secure cloud computing.
A new study predicts that the cloud business
email market will grow at a compound annual growth rate of 11% and hit $2.15 billion in 2023. The fastest growth will be in North America, partly because of the presence of established players like
Google, Microsoft Corporation and IBM Corporation, according to
The practices specified by the CPA are similar to the rules for all data processing under the GDPR, whether the data is in the
cloud or in a data warehouse. But they should be reviewed because of the explosion of cloud computing and the need to conduct due diligence of vendors, some of which may be new to the space.
"Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection,” states Francoise Gilbert, CSA lead outside counsel and PLA Working
Group co-chair.
She adds that the PLA working group realized “it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal
data protection legislation."
So what do you have to do if you are offering or using cloud services? Here is our quick read of the requirements:
- Fair and transparent
processing of personal data — Be ready to tell the public and data subjects the categories of personal data being processed, the purposes of the processing and the recipients of the
data. You also have to identify sub-contractors and sub-processors.
- Exercise of data subjects' rights — Be sure you are using the data only for the purposes specified, and
that you reveal the methods used for deleting data.
- Notification of personal data breaches to supervisory authorities — Be prepared to say how and when the customer will be
informed of personal data breaches when the data is processed by the CSP and/or subcontractors. Also, explain the nature of the breach, the number of records affected and the likely consequences.
- Rules on transfer of personal data to third countries — Document the third country or international organization, and suitable safeguards.
There is much more. For
example, you have to include your insurance information and how the customer can monitor or audit your activities. This affects all U.S. companies with European customers. You can do a deeper dive at
the CSA’s GDPR Resource Center.