Privacy Level Agreement Code of Conduct
The GDPR legislation introduced stronger rules on data protection, giving people more control over their personal data and ensuring a level playing field for businesses. It includes many requirements relating to cloud services but it is clear that CSPs need guidance in order to ensure compliance with this complex new law. Cloud customers need support in assessing the privacy and security of their CSP.
Enter the Privacy Level Agreement Code of Conduct (PLA CoC), which is based on Cloud Security Alliance’s Privacy Level Agreement (PLA) Code of Practice (CoP),
The Code of Conduct is made up of two components:
|Code of Practice||Governance Structure|
|The technical standard, developed by the Cloud Security Alliance, includes a set of controls that a Cloud Service Provider (CSP) should implement in order to establish adherence to the GDPR requirements.|
The cloud security certification landscape changes rapidly, meaning that any code of practice has to be monitored and managed to ensuring it is up to date.
The governance structure ensures consistency, control and proper implementation of any required changes. This component is the work of the EU-SEC project.
Helping Cloud Service Providers to Achieve Compliance
The Privacy Level Agreement (PLA) Code of Conduct (CoC) provides guidance and support to CSPs as they work towards demonstrating compliance with the requirements of GDPR.
Compliance can be achieved via:
- PLA CoC Self-Attestation
- PLA CoC Third-Party Certification
CSPs wishing to adhere to the CoC should submit a Statement of Adherence to the Cloud Security Alliance. The process of working through the self-assessment process should be seen as a useful readiness exercise for CSPs wanting to assess their status with regards to compliance.
Successful CSPs will be awarded a compliance mark by the Cloud Security Alliance.
Providing Transparency to Enterprise Customers of Cloud Service Providers
The GDPR regulations are complex and it is not easy for cloud customers to judge which CSPs are correctly processing personal data and therefore make informed decisions about their choice of CSP.
The issue of ACCOUNTABILITY is critical. Businesses passing on data to a CSP for processing have an obligation to make sure the data is correctly handled all along its route and the fines for not doing so are steep. Knowing that a CSP adheres to the Code of Conduct is a sure way of knowing that the organisation is compliant. Find out more about GDPR here.