By Daniele Catteddu, Chief Technology Officer , Cloud Security Alliance
On November 21, the CSA released the Code of Conduct for GDPR Compliance. This new document is part of CSA’s continuous effort to support the community with best practices that will help cloud providers and customers alike face the tremendous challenge of General Data Protection Regulation (GDPR) compliance.
Our code has been officially submitted to the attention of the Information Commissioner’s Office, the UK Data Protection Authority, for its review, as well as to all the other European Data Protection Authorities (DPAs). We are confident that we’ll receive positive feedback that will allow CSA to proceed with the final submission to the Article 29 Working Party (WP29) and European Commission for their endorsement.
GDPR, as many have already commented, represents a substantial change in the privacy and security landscape. It will affect every business sector, and cloud computing won’t be exempt. GDPR imposes on companies doing business in Europe a set of new obligations, but perhaps most importantly it demands a change in attitude vis-a-vis the way organizations handle personal data.
The GDPR requests that companies take a new approach to privacy and security and be good stewards of the data that is entrusted to them. Further, they are being asked to demonstrate accountability and transparency. In theory, this shouldn’t be a big shock to anyone since the principles of accountability, responsibility and transparency are meant to be the basic foundations of any company’s corporate code of ethics. Unfortunately, we have realized that not all of the companies out there have been applying these principles of common sense in a consistent manner.
Perhaps the biggest change that GDPR is imposing is related to the stricter approach to the enforcement of the rules that regulators have taken.
But perhaps the biggest change that GDPR is imposing is related to the stricter approach to the enforcement of the rules that regulators have taken. The fines that will be imposed for non-compliance definitely reflect a punitive logic. Fines will be substantial and are meant to be a deterrent to those organizations looking for short cuts.
In such a context, we are all noticing a crazy rush to GDPR compliance, with countdowns all over the internet reminding us how quickly the May 25 deadline is approaching.
So just in case you weren’t confused enough on how to tackle GDPR compliance, you can be even more stressed about it.
A cultural change doesn’t happen overnight though. The radically new attitude requested by GDPR and the related updates to policies and procedures can’t possibly be defined, tested and implemented in one day. Those familiar with the management of corporate governance are well aware of how lengthy and expensive the process of changing the internal rules and approaches can be. Rome wasn’t built in a day, and likewise this privacy revolution won’t magically happen one minute past midnight on May 25.
Given the magnitude of the effort requested by GDPR compliance, both in terms of cultural change and money, it is unlikely that all of the organizations, especially small- and medium-sized companies and public administrations, will be able to meet the May deadline.
My bet is that given the magnitude of the effort requested by GDPR compliance, both in terms of cultural change and money, it is unlikely that all of the organizations, especially small- and medium-sized companies and public administrations, will be able to meet the May deadline.
This is because beside the objective difficulty of the task there are still some provisions and requirements to be clarified, for instance, the Data Breach Notification (the WP29 is working on it). Moreover, there are some known and some hidden problems. For example, the tension between data back up and data deletion that will manifest itself when the new rules are put into practice.
To complicate matters further, in the period leading up to May 25, companies will still need to do business and sign contracts that in the majority of cases aren’t GDPR-ready, and it is likely that a supplemental effort will be requested for a retrofitting compliance exercise.
It will take time to achieve 100-percent compliance and in some cases, even that won’t be entirely possible.
None of above is an excuse for not working hard to achieve compliance, but rather to say that it will take time to achieve 100-percent compliance and in some cases, even that won’t be entirely possible.
What to do? I’d personally look at the GDPR compliance project as a journey that has already started and won’t finish in May. I’d focus on defining the policies and procedures for GDPR compliance, and I’d start implementing them. I’d base my new approach, as much as possible, on standards and best practices. That typically provides me with a good direction. Perhaps standards won’t be the ideal route for me, but that’s not important since to find the ideal route some correction to the general trajectory is always required.
Standards will assure me that the approach I’m using and the policy I’m defining are likely to be understood by my business partners. Policy interoperability between the cloud service provider and the customer is a fundamental requirement for a sound cloud governance approach, and it will be a key requirement for a successful GDPR compliance journey.
So, adoption of standards, policy interoperability, and what else? Well, transparency of course.
I’d aim for transparency within my organization, and I’d seek out transparency in my business partners. If I want to be a proper steward of data, if I want to make proper risk decisions, if I need to implement accountability, then I need to rely on data, evidence, and facts, which means that I need to work with partners that are willing to collaborate with me and be transparent.
And what if I won’t be 100-percent ready by May? I’d make sure I’m documenting all the actions taken in order to build and implement my GDPR compliance framework. This will help me provide evidence of my strategy, my good faith, my direction, and my final goal for the regulators. After all, the law is not demanding perfect privacy and security, it’s asking for a risk-based approach to privacy.
I recommend that everyone reading this post seriously consider the adoption of the CSA Code of Conduct for GDPR compliance in association with our Cloud Control Matrix (or any equivalent information security best practice). Those are the free standards we offer the community members for supporting their GDPR compliance journey.