The Cloud Industry Forum (CIF) reports that its Code of Practice (Code) is addressing the General Data Protection Regulation’s (GDPR) requirements. According to the trade association, this will ultimately bring clarity to the market and will help Cloud Service Providers (CSPs) who want to establish themselves as GDPR ready and give customers a way to publicly identify trusted cloud suppliers.
The GDPR comes into effect across the European Union including the UK in May 2018 and will bring new roles and responsibilities for data controllers and data processors. The regulations aim to harmonise law across the EU and better protect citizens’ data. However, as it stands, there is uncertainty about the new laws as there are no clear and accredited standards in place that specify what measures CSPs must implement to ensure compliance. Hence the CIF has incorporated key parts of the GDPR into its existing Code.
The CIF describes it as a framework that enables CSPs to benchmark their operations against standards developed by the industry and, as a checklist for best practice in provision of cloud services. It is built on transparency, capability and accountability. These have been reviewed by the Cloud Industry Legal Forum, in light of guidance from the European Commission. The Code is recognised by the European Union agency for Network & Information Security (ENISA).
The trade body says that CSPs who certify to the code will have the skills and knowledge to ensure their organisation is on the right track for compliance with GDPR. Certified Code resellers are encouraged to update their position to include the GDPR additions.
Alex Hilton, CEO of CIF, said: “The GDPR is a considerable piece of legislation that will leave no space for companies to hide, especially if they don’t take data security seriously. A failure to demonstrate compliance with the GDPR can result in organisations receiving massive punitive fines which, aside from damaging their reputation, could potentially put them out of business. It is therefore vital that these organisations have the appropriate skills and knowledge in place.
“It’s incumbent on CSPs to be able to demonstrate they have the required capabilities. However, in many ways the GDPR is an abstract and non-prescriptive piece of legislation and the absence of a concrete standard makes it difficult for certain companies to be sure that what they have put in place is compliant.”
Visit: https://www.cloudindustryforum.org/content/code-practice-cloud-service-providers.
