The Cloud Security Alliance (CSA), the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, have released the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the European General Data Protection Regulation (GDPR). As part of this release, the CSA has also launched the CSA GDPR Resource Center, a new, community-driven website with tools and resources to help educate cloud service providers and enterprises on the new European Data Protection Regulation.
“Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement (PLA) Working Group realised it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair.
“With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organisations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”
The CSA Code of Conduct for GDPR Compliance is designed to meet both actual, mandatory EU legal personal data protection requirements (i.e., Directive 95/46/EC and its implementations in the EU member states) and the forthcoming requirements of the GDPR.
More precisely, the CSA Code of Conduct for GDPR Compliance specifies the application of the GDPR in the cloud environment, primarily with regard to the following categories:
- Fair and transparent processing of personal data;
- Information provided to the public and to data subjects (as defined in Article 4 (1) GDPR);
- Exercise of data subjects’ rights;
- Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR;
- Notification of personal data breaches to supervisory authorities (as defined in Article 4 (21) GDPR) and the communication of such personal data breaches to data subjects; and
- Transfer of personal data to third countries.
Additionally, the CSA Code of Conduct for GDPR Compliance contains mechanisms that enable the body, referred to in Article 41 GDPR, to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR.
“The CSA Code of Conduct for GDPR Compliance offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.”
The CSA PLA Working Group was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on cloud computing into an easy-to-use outline for CSPs to follow when disclosing personal data-handling practices. The scope and objective of the PLA initiative was previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on cloud computing. Since then, the PLA Working Group has been engaged in defining a structured method for communicating the level of privacy that a CSP agrees to maintain.