April 14, 2022

Last Updated on January 18, 2024

These days cloud service providers (CSPs) don’t just need to prove to customers and other stakeholders that they are secure—they also need to demonstrate that they have a strong privacy program. But how can CSPs make a convincing attestation about complying with privacy regulations like GDPR?

In response to this industry need, the Cloud Security Alliance (CSA) has added a GDPR compliance component to their suite of programs.

John DiMaria, Assurance Investigatory Fellow and Research Fellow at Cloud Security Alliance (CSA), discusses privacy in the cloud on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show.

Evidence-based self-assessment

CSA’s GDPR compliance program has three parts: the GDPR cloud controls, an implementation guide that shares best practices, and the CSA Code of Conduct. CSPs can then review their privacy posture in relation to these benchmarks.

The attestation is an evidence-based self-assessment. CSA provides guidance on what evidence to collect and how to collect it. (Generally, the required data is not confidential.) Then an independent third party, an international law firm specializing in privacy, reviews the submission. They provide feedback on whether the evidence is adequate and may ask for additional evidence.

Once a CSP’s GDPR self-assessment is vetted, CSA issues them a certificate that’s good for one year. If you need to demonstrate compliance with other privacy standards, you can do it by mapping controls from GDPR to the other framework.

Certifying the CSA Code of Conduct

In 2022, CSA is looking to get its privacy Code of Conduct approved by the European Data Protection Board. Then they can offer third-party certification against their CSA Code of Conduct, which exceeds the GDPR requirements and is specific to the cloud—a combination unique in the industry.

What makes CSA’s privacy program so valuable is that CSPs have few other options to demonstrate their privacy postures. One is a SOC 2 report that includes the Privacy principle. The other is adding the ISO 27701 privacy requirements to the scope of an existing ISO 27001 certification.

The CSA’s GDPR compliance program, soon to be expanded and made more generic and applicable to other privacy regulations besides GDPR, is a third option. And it’s currently the only option for CSPs that don’t already have ISO 27001 or SOC 2 programs in place.

What’s next?

To hear the whole episode featuring John DiMaria from Cloud Security Alliance, click here.

What market pressures are driving CSPs to “up their security game” like never before in 2022? Here’s a forward-looking post from John Verry on the topic: John Verry’s 2022 InfoSec Prediction #8: CSPs Up Their Security Game