Compliance with the European Union’s General Data Protection Rule (GDPR) is moving from a theoretical construct to an existential threat as the May 25, 2018, deadline rapidly approaches. To provide service providers and their customers some guidance on how to achieve GDPR compliance before that date, the Cloud Security Alliance (CSA) this week published the CSA Code of Conduct for GDPR Compliance.
In addition, the CSA also unveiled the CSA GDPR Resource Center, an online community providing access to tools and resources to help educate cloud service providers and enterprises on how to go about ensuring GDPR compliance.
Evolving guidance on GDPR compliance
CSA CTO Daniele Catteddu says the CSA Code of Conduct for GDPR Compliance has been a work in progress over the past four years with input from EU officials and compliance experts. The code, adds Catteddu, will soon be formally reviewed by the committees in charge of the finalizing GDPR to make sure nothing has been overlooked. The goal is to give service providers a step-by-step process to achieving GDPR compliance, which enterprise IT organizations in turn can use to consistently evaluate service provider compliance, says Catteddu.
New code of conduct from #CloudSecurityAlliance designed to help service providers prepare for #GDPR
The CSA Code of Conduct for GDPR Compliance spans everything from the processing of personal data and how to transfer that data, to what to do in the event personal data is breached. However, Catteddu notes there are still some aspects of the GDPR that are subject to review by EU committees, so it’s likely the CSA Code of Conduct for GDPR Compliance will be updated continuously. Regardless, Catteddu says the code provides organizations with a reliable set of guidelines for coming into compliance with a set of far-reaching regulations.
GDPR opportunities for MSPs
In general, Catteddu says it’s still too early to say how much organizations will outsource data management to achieve GDPR compliance. But there are several companies that have outsourced the role of a chief data officer, which is a position the GDPR requires. As such, IT service providers that have GDPR expertise are likely to be in high demand.
Catteddu says given the state of the GDPR it may not be reasonable to expect that every organization will be fully compliant with every aspect by the end of May. Whatever progress is made, though, much of the work service providers do today with also be applicable to several similar GDPR regulations that have either already been approved around the globe or soon will be.
In the meantime, IT service providers should gear up for a sharp spike in GDPR engagements. Many companies headquartered within the confines of the EU are no doubt familiar with the regulation. But many companies outside the EU are not familiar with how costly non-compliance can be even when they only have a few customers residing in the EU. Fines for failing to comply with GDPR can be as high as €20 million or up to 4 percent of global revenue for the preceding financial year, depending on which is greater. Regardless of how strictly GDPR gets enforced, the potential financial risks for non-compliance are simply too high to ignore.
Would be worth writing a separate article on data controllers/processors and how to get GDPR ready as this is bit fuzzy field. However, great article and keep up the good work!