Dear members,
Below you can find the meting minutes from the PLA working group call o May 21st.
You can hear to the recording here:
Passcode: Y?f62L^N
Minutes:
The group discussed the comparison and alignment of the EU Cloud code of conduct and the CSA code of conduct for GDPR compliance, with a focus on identifying any gaps and necessary adjustments. They also explored the transition from the current CSA CoC to the EU Code of Conduct for cloud service providers.
Comparing EU Cloud and CSA Codes of Conduct
The group members discussed the task of comparing the EU Cloud code of conduct and the CSA code of conduct for GDPR compliance. The aim is to identify any gaps between the two codes of conduct and to determine whether any adjustments are needed to align them.
Transitioning to EU Code of Conduct for Cloud Services
The chairs clarified that the purpose of this excercise is to understand how providers would comply with the new requirements, rather than amending the old CSA Code of Conduct. Jacopo then outlined the initial controls of the EU CoC, emphasizing the need for a Cloud Service Agreement with customers and compliance with applicable EU protection laws. Louis highlighted the specificity and explicit statements of the EU CoC, including the requirement to follow GDPR and other regionally applicable laws.
Additional Control for Data Processing Agreements
Isabella suggested an additional control related to the Code of Conduct under the CC section, which would require the service provider to share and execute a data processing agreement with the Cloud customer. This would cover the process carried out by the Cloud Service Providers on behalf of the customer. Isabella also pointed out that this control places a significant compliance effort on the Cloud Service Provider. Louis acknowledged the importance of this additional control and noted the similarity in intent by the 2 CoCs, though the language was slightly different.
Document Changes and Identification Adjustments
Isabella suggested the addition of the members' comments for tracking purposes. Louis proposed a change in identification from 'Full gap' to 'Partial gap' for 5.1.B due to the inclusion of WWP 6.1.
Cloud Service Agreement and Code of Conduct
The group highlighted that the CSA's code of conduct was more comprehensive and detailed than the EU Code of Conduct, but pointed out a partial gap in its explicit reference to the General Data Protection Regulation (GDPR). Jacopo brought up control 5.1A which mandates documented procedures for customer inquiries, but Louis and Isabella couldn't find any matching requirements. They decided to investigate this further offline. Lastly, Louis stated that he couldn't find any gaps in the CSA's processing of customer personal data, considering it a "full match".
Controls Discussion and GDPR Connection
Marina brought up the connection between the GDPR and the European AI act, while Louis suggested that Dora might also be a relevant participant for this future mapping.
Previous action items:
Update on new working group initiative on 'Mapping of the CSA Code of Conduct to the EU Cloud Code of Conduct' online document. The group members are called to work on the mapping in the 3rd Tab called 'PLA CoP v EUCloud COC' . (The first 2 tabs are for consulting). Row 8 can be used as an example.
- Rows assigned:
- Louis rows 4,5, 6, 7, 9 - DONE
- Marina rows 10, 11, 12, 13, 14 - PENDING
- Kathie rows 21 to 25 - PENDING
- Zlavia ??? - Not Volunteered
- Waleed ?? - Not Volunteered
New action items:
Description of task: 'Mapping of the CSA Code of Conduct to the EU Cloud Code of Conduct' online document:
The group members are called to work on the mapping in the 3rd Tab called 'PLA CoP v EUCloud COC'
Column C contains the provision/control form the EU Code of Conduct while Column F will need to be filled with the corresponding provision from the CSA Code of Conduct.
Column H needs to be filled with the values of No Gap, Partial Gap or Full Gap, depending on the overlap the 2 Code of Conducts may or may not have. In the case of no gap, no amendment will be necessary from the CSP to the already implemented provision. In the case of 'partial or full gap', the CSP will need to amend the already implemented CSA CoC provision to match the EU CoC benchmark.
- Isabella ( @Isabella Oldani) to review the CSA code of conduct to identify any potential gaps with the 5.1.D row 7, of EU cloud code of conduct.
- Louis ( @Louis Pinault) will review controls 15 to 19 and provide feedback on any gaps or suggestions for improvement.
- Marina to fill rows 10, 11, 12, 13, 14
- Kathie ( @Kathie Miley) to fill rows 21 to 25.
The EU Cloud Code of Conduct can be downloaded/consulted here.
The CSA Code of Conduct is in tab 'PLA Code of Practice (CoP) v4.1' here.
Next working group call:
Date: June 4
Time: 08:00 am. PT / 11:00 .m. ET / 15:00 GMT
URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09 (Meeting ID: 829 8738 2695, Passcode: 794440)
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------