when relevant content is
added and updated.
when relevant content is
added and updated.
Trust can be viewed as a key factor amongst clients and service providers working together towards preparing for readiness with the EU General Data Protection Regulation (GDPR). These stringent regulations come into force in May 2018 to ensure that personal data is processed adhering to strict privacy and security requirements.
Fines of up to €20m or 4% of global revenue can be levied for non-compliance with how the personal data of EU data subjects is processed, stored and accessed – which could be enough to put some companies out of business.
However, choosing a third party to handle data processing to simplify your organisation’s journey to GDPR readiness, does not mean you hand over responsibility for that data if any breach of the regulations occur.
The data processor
GDPR includes the concept of a data controller and a data processor – [i]“data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
“processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—
- a) Organisation, adaptation or alteration of the information or data,
- b) Retrieval, consultation or use of the information or data,
- c) Disclosure of the information or data by transmission, dissemination or otherwise making available, or
- d) Alignment, combination, blocking, erasure or destruction of the information or data
As such, the choice of data processor is critical, and IT directors and data protection officers should consider the benefits around working with an experienced cloud service provider.
Crucially, a provider should be able to supply the evidence to show it adheres to specific security and privacy standards. One way for a cloud service provider to do this, under GDPR, is to adhere to a Code of Conduct, which is designed to do precisely that.
EU Cloud Code of Conduct
IBM Cloud is one of the the first organisations to declare [ii]24 IBM Cloud infrastructure and IBM Cloud Platform services to the EU Cloud Code of Conduct (“Code”). Development on the Code begun in 2013 and it is the only Code developed in collaboration with EU authorities and the cloud computing community specific to GDPR.
The Code provides assurance to organisations that data processors signed up to the Code are focusing on data privacy, security and information governance to assure GDPR’s strict requirements are adhered to.
Furthermore, it is the only Code that is independently governed, by the monitoring body of [iii]SCOPE Europe. [iv]It is also the only Code that covers the full spectrum of cloud services from software as a service (SaaS) and platform as a service (PaaS) through to infrastructure as a service (IaaS).
IBM Cloud has already signed up 24 of its IasS and PaaS services to the Code since March 2017 and can help its clients towards GDPR readiness.
“The Code comes from existing security standards – ISO 27001, ISO 27018 and will map to emerging data privacy standards such as ISO 27552, and it requires evidence that companies adhere to standards,” says Jonathan Sage, government and regulatory affairs executive at IBM. He goes on to clarify “Self-declaration of compliance has no impact. Ticking a box saying you’ve done all that is required is not enough. Behind the Code there are supervisory controls that will document and manifest whether cloud service providers really do comply.”
A quality standard
IBM has 16 datacentres in Europe which gives customers choice about data residency and whether this needs to be within the EU, including a new datacentre built in Frankfurt offering a Bluemix platform. Clients are reassured that IBM Cloud infrastructure has signed up to a Code that’s transparent and its services can provide a quality standard that is GDPR-specific.
“Transparency is very important to the Code. It means that clients can check that third party audits or other mechanisms to comply are in place, rather like a one-stop shop. It can save them a lot of work as it is can offer assurances to customers and to the data protection authorities on GDPR readiness,” says Sage.
Organisations working towards compliance with GDPR and concerned about meeting the May 2018 deadline can be reassured that by working with IBM Cloud they can be well-positioned in their readiness journey.
A tool to reach compliance
IBM Cloud, as a signatory to the EU Cloud Code of Conduct, demonstrates its commitment to helping assure that the personal information of EU data subjects is kept private.
“No company can claim they are compliant with GDPR as it is not in existence until May 2018. The Code is a tool to reach compliance and a great way of driving compliance for cloud service providers, and their clients,” says Sage.
By engaging with the Code early, IBM Cloud can demonstrate its internal change programme towards GDPR readiness.
“The fact it is demonstrable and externally transparent is proof to the market. IBM Cloud had an important role in developing the Code and there is a real buzz in the community with co-developers. It is a feather in our cap and shows we have taken leadership and offer transparency around GDPR readiness,” says Sage.
Clients wanting to know more about how IBM Cloud’s platform can help simplify GDPR readiness can visit ibm.com/gdpr.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability.