This week I attended the CSA EMEA Congress 2019 where I presented on the CSA Code of Conduct for GDPR Compliance, also in my quality of Co-Chair of the CSA PLA WG.
My presentation covered the fundamentals of the GDPR and the CSA Code of Conduct and discussed the game-changers and pillars of the Code of Conduct, based on the principles of:
- the risk-based approach to compliance
- the right to be forgotten and data portability
- sanctions and enforcement and
- data subject remedies.
The GDPR encourages the use of codes of conduct and certification mechanisms, which can ensure transparency and compliance with the law. Specifically, the CSA CoC provides CSPs with a tool to achieve GDPR compliance and to demonstrate it through self-attestation or certification, providing cloud customers with a valuable tool to aid in the evaluation of the level of data protection compliance of the cloud service provider.
The Code itself considers the roles of controllers, processors, joint-controllers and sub-processors and deals with the B2B scenario. Inspired by the opinions and guidelines of the European Data Protection Board, the European Data Protection Supervisor, national supervisory authorities, ISO standards, and ENISA, it is comprised of three major components, namely:
- The CSA CoC Objectives, Scope, Methodology, Assumptions and Explanatory Notes
- The Privacy Level Agreement Code of Practice
- The CSA Code of Conduct Governance and Adherence Mechanisms.
The CSA CoC provides a set of legal controls for CSPs to comply with GDPR legal requirements and the CSA Cloud Control Matrix (CCM) provides a set of technical security controls for CSP to align with market needs and comply with legal requirements. The joint adoption of the CoC and CCM provides CSPs with a compliance suite for both legal and technical security requirements of GDPR.
Adherence to CoC and CCM requirements can be demonstrated by achieving a combination of: STAR Certification or STAR Attestation or STAR Self Assessment and the CoC Certification or Self Assessment.
Interestingly, CSA is currently developing a certification mechanism (Art. 42 GDPR), which will be offered to CSPs as an additional means to show their compliance with GDPR requirements (and will raise the standard for data protection compliance). This mechanism will be strongly based on the CSA CoC controls. Any additional controls or requirements will be included only as strictly necessary to comply with EDPB Guidelines. Furthermore, Certification will be granted by certification bodies (i.e., CSA Auditing Partners which have been accredited by a supervisory authority or national accreditation body).
For more information on the CSA CoC or to receive a copy of my presentation from the CSA EMEA Congress 2019, please don’t hesitate to contact me.