Since 2009, the Cloud Industry Forum (CIF), has been endeavouring to raise standards and improve transparency in the cloud sector. CIF has now announced enhancements to its Code of Practice (Code) to address the General Data Protection Regulation’s (GDPR) requirements. This will ultimately bring clarity to the market and will help Cloud Service Providers (CSPs) who want to establish themselves as GDPR ready and give customers a clear path to publicly identify trusted cloud suppliers.
The GDPR comes into effect in May 2018 and will bring new roles and responsibilities for data controllers and data processors. The regulations aim to harmonise legislation across the EU and better protect citizens’ data. However, as it stands, there is uncertainty about the new laws as there are no clear and accredited standards in place that specify what measures CSPs must implement to ensure compliance. CIF has therefore incorporated key components of the GDPR into its existing Code framework to help organisations navigate and comply with the terms of the regulations.
The CIF Code is a comprehensive framework that enables CSPs to benchmark their operations against standards developed by the industry and, in many ways, is a checklist for best practice in the provision of cloud services. It is built on three pillars: Transparency, Capability and Accountability. These have been carefully reviewed by the Cloud Industry Legal Forum, in light of guidance from the European Commission. The Code is recognised by the European Union Agency for Network & Information Security (ENISA).
CSPs who certify to the Code will have the skills and knowledge to ensure their organisation is on the right track for compliance with GDPR. Additionally, existing certified Code resellers are encouraged to update their position to include the GDPR additions.
Alex Hilton, CEO of CIF, commented: “The GDPR is a considerable piece of legislation that will leave no space for companies to hide, especially if they don’t take data security seriously. A failure to demonstrate compliance with the GDPR can result in organisations receiving massive punitive fines which, aside from damaging their reputation, could potentially put them out of business. It is therefore vital that these organisations have the appropriate skills and knowledge in place.
“It’s incumbent on CSPs to be able to demonstrate they have the required capabilities. However, in many ways the GDPR is an abstract and non-prescriptive piece of legislation and the absence of a concrete standard makes it difficult for certain companies to be sure that what they have put in place is compliant.”
Frank Jennings, lawyer and chair of the Code of Practice governance board explained: “Cloud providers (and their customers) could face fines of up to ˆ20m for data breaches under GDPR and Brexit won’t change that. Compliance with the updated Code should help compliance with GDPR and will reduce the likelihood of a receiving such a fine.
"The GDPR will force customers to go back to their service providers to verify they are ready to deliver on their commitments under the new regulation. Similarly, customers selecting a new provider will include GDPR in their due diligence. For service providers GDPR is a mission critical event for the retention of existing customers and winning new customers and the CIF Code is there to provide assurance to customers," added Frank Bennett, Deputy Chair of CIF.
“This is exactly why we have enhanced our Code of Practice. The updated certification will help guide companies on their path to compliance with the GDPR. CIF’s Code aims to bring greater transparency and trust when doing business in the cloud, and these attributes are key determining factors for the success of any CSP who wants to prosper now and once the GDPR comes into full effect. Due to the updates that have been implemented, we believe that everyone will be able to gain the support they need and that confidence will be instilled in clients and customers. But ultimately, this will help create a better and safer cloud for all,” added Alex.
Richard Pharro, CEO of APM Group, concluded: “Nearly 90% of UK companies are now using at least one cloud based service to run their business. These businesses are reliant on their provider to protect their assets. Having confidence that their supplier has the necessary controls in place to comply with GDPR regulations will be a key selection criterion for many businesses. The enhanced Code provides a simple and transparent verification of your supplier’s capability.”