eDiscovery Daily Blog

If You’re a Cloud Provider or Consumer, Consider These Guidelines on How to Conduct Yourself in Europe: eDiscovery Best Practices

While we were preparing to eat turkey and stuff ourselves with various goodies last week, the Cloud Security Alliance (CSA) provided an important guideline for compliance with the European Union General Data Protection Regulation (GDPR).

The CSA, a world leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, last week announced the release of the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the GDPR.  As part of the release, the CSA also launched the CSA GDPR Resource Center, a new community-driven website with tools and resources to help educate cloud service providers and enterprises on the new GDPR.

“Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement (PLA) Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair.

“With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”

The new CSA Code of Conduct for GDPR Compliance is designed to meet both actual, mandatory EU legal personal data protection requirements (i.e., Directive 95/46/EC and its implementations in the EU member states) and the forthcoming requirements of the GDPR and specifies the application of the GDPR in the cloud environment, primarily with regard to the following categories:

  • Fair and transparent processing of personal data;
  • Information provided to the public and to data subjects (as defined in Article 4 (1) GDPR);
  • Exercise of data subjects’ rights;
  • Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR;
  • Notification of personal data breaches to supervisory authorities (as defined in Article 4 (21) GDPR) and the communication of such personal data breaches to data subjects; and
  • Transfer of personal data to third countries.

The CSA Code of Conduct for GDPR Compliance also contains mechanisms that enable the body referred to in Article 41 (1) GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR.

With GDPR adoption looming in less than six months, you can expect to hear more about GDPR on this blog and other publications in the coming months.  Click here to access the CSA Code of Conduct for GDPR Compliance (after completing a short survey).

So, what do you think? Is your organization preparing for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Rob Robinson and his excellent Complex Discovery blog for coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.