GDPR Resource Center
GDPR, Cloud Services & Privacy
The new General Data Protection Regulation (GDPR), published in the Official Journal of the European Union (OJEU) on 5 March 2016, enters into force on 25 May 2018.
The regulation will apply to all industries across the European Union. In preparation for the regulation, the Cloud Security Alliance (CSA) has prepared various tools and resources to help both enterprises and cloud service providers comply with the regulation.
What is the CSA Code of Conduct for GDPR Compliance?
No matter whether you are an enterprise Data Protection Officer using cloud services or a Cloud Service Provider, CSA Code of Conduct for GDPR Compliance provides a consistent and comprehensive framework for complying with the EU’s GDPR. The CSA Code of Conduct is designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection offered by the Cloud Service Provider.
The Code of Conduct for GDPR Compliance provides:
- Flexibility - can be applied to any cloud delivery model - IaaS/PaaS/SaaS
- Transparency - provides cloud customers with clear understanding and transparent view of what Cloud Service Provider is doing
- Rigor - the CSA CoC provides a rigorous and proven template to adhere to GDPR privacy requirements
- Utility - Cloud customers of any size can use this tool to evaluate the level of personal data protection offered by different CSPs (and thus to support informed decisions)
- Completeness - enables CSPs of any size and geographic location with guidance to comply with European Union (EU) personal data protection legislation and to disclose the level of personal data protection they offer to customers.
CSA Code of Conduct for GDPR Compliance
The flagship CSA tool is the CSA Code of Conduct for GDPR Compliance.
This comprehensive tool provides a number of benefits...
- Shows adherence to GDPR privacy requirements
- Streamlines contracting, accelerates sales cycles
- Provides assurance to cloud customer of data privacy in conjunction with CSA STAR
- Applies to CSP as Data Processor and as Data Controller
- Demonstrates full compliance by connecting legal to technical requirements through combination of Code of Conduct and CSA STAR Level 1 and 2
- Streamlines contracting
- Reduces time needed for internal legal review
- Highlights topics and contracting terms for internal discussion and external negotiation to make informed decisions
- Provides enterprise legal teams with established framework for GDPR compliance when contracting for cloud services
"I think [the PLA Outline] is a very helpful document, both for potential customers of CSPs and for CSPs themselves."
By following closely the WP29 Opinion it ensures that both parties understand the obligations under EU law – probably the strictest requirements they will have to comply with.
Hopefully it will be accepted by CSPs that, if they want to be viewed as acceptable service providers – especially by EU-based organisations – they are going to have to be able to answer successfully the questionnaire that is annexed to the document.