From May 2018, when the upcoming EU GDPR (General Data Protection Regulation) comes into force, the requirements for managing personal data will change. The requirements for maintaining consumers’ privacy are significantly more stringent through this new framework.
A common concern among cloud customers is ensuring compliance with GDPR when using cloud services. GDPR also places new, more stringent requirements on Cloud Service Providers (CSP). In response, two Codes of Conduct (CoC) for Cloud Service Providers were published in early 2017. This report provides a comparison of these and advice to cloud customers on how to use these.
1. Both Cloud Codes are at an early stage in their evolution. They may be in part a defensive move by CSPs to protect against the more stringent requirements placed by GDPR on processors. However, they still provide some benefits to cloud customers. Currently, compliance with these codes is through self-assessment. To be credible, future claims of compliance with a Code must be based on independent audits and governance bodies with real teeth.
2. The Codes do not override the contract: both Codes emphasize that they do not replace a contract or Service Level Agreement (SLA) between the CSP and the customer. However, cloud service contracts and SLAs are typically written by the CSP and offered on a take it or leave it basis.
3. The Codes do not replace certification: There is still a need for independent certification / attestation that a cloud service complies with security standards or regulations that customer organizations need. The customer, must ensure that any cloud service they use has been independently certified as compliant to their needs.
4. Customer is still responsible: in the most of cases the cloud customer is legally the Data Controller for the personal data that is being processed in the cloud service. It is vital to ensure that the CSP is aware that the service is being used to process this data in compliance with GDPR, and that these requirements are documented through a legally binding contract or agreement.
5. Responsibility for compliance is shared: between the customer and CSP when using cloud services. Make sure you understand this split and ensure that you meet your own responsibilities as well as assuring that the CSP meets theirs.