Call on 12 March was canceled.
Minutes 27 February:
Marina shared updates about the adoption of the European Cloud Code of Conduct by CSA and the latest CSA research. Jacopo discussed the business's privacy policy and the importance of third-party service agreements. Martim and Marina then discussed the potential shift from the CSA code of conduct to the EU cloud code of conduct, and the possibility of adapting their current project to the new code.
CSA Adopts European Cloud Code, Updates and Events:
Marina informed the team that the European Cloud Code of Conduct has been officially adopted by CSA. She then shared updates on the latest CSA research, including a partnership with the European Cloud Code of Conduct to establish market standards for robust data protection. Additionally, she mentioned that there will be an upcoming event, the Think Cloud Security Summit, and several other events through 2024. However, there was a concern about the absence of Paulo, whose feedback was needed for some discussions.
Privacy Policy and Feedback Discussion:
Marina and Isabella discussed some action items and feedback. Marina noted that there were some inputs to be shared and discussed. Jacopo then began presenting, sharing his screen to discuss the business's privacy policy. He highlighted the importance of agreements with third-party service providers and contractors to ensure compliance with applicable obligations. Jacopo also mentioned that there were some comments on the pronunciation of a name and asked for clarification on how these comments could be integrated into an amendment for the relevant control.
Transitioning From Csa to EU Cloud Code of Conduct:
Martim and Marina discussed the shift from the Csa code of conduct to the EU cloud code of conduct following the discontinuation of the former. Martim suggested a possible transition by adapting their current project, which aims to update Annex 10, to the new code of conduct. However, he expressed concerns about the potential endorsement of their activities by Scope Europe, the owner of the EU cloud code of conduct. Marina confirmed CSA's interest in adapting to other parts of the world, such as the US, and mapping the CCPA to the new code of conduct. She also mentioned a preliminary conversation with Scope Europe, but the outcome was uncertain. Martim concluded that if CSA is willing to move forward, it's likely that Scope Europe would also show interest.
CSA Code vs EU Cloud Code Comparison:
Martim and Isabella discuss the possibility of continuing work on mapping the CSA code of conduct to the EU Cloud Code of Conduct, with the option of either scrapping the previous work or using the EU code as a reference. They consider comparing the Csa code and EU code to see if it is more efficient or if they can salvage some of the work already done. They also consider creating a table to compare the two codes, and Martim suggests creating a separate table for the Gdpr code to save time.
Next steps:
-
Isabella will message the team to join the meeting on the EU Cloud CoC adoption discussion
-
The team will take a few days to consider the best approach for mapping the CSA code of conduct to the EU Cloud code of conduct. They will then provide an update to the group and explain how they will set up the document for reviewers.
Next call: 12 March
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Minutes 13 February:
Service Provider Contract Requirements and GDPR Compliance:
Isabella Oldani led a discussion about the definition of a service provider and the requirements for their contracts. She explained that the contract must prohibit the service provider from selling or sharing personal information, retaining or disclosing it for any other purpose, and processing personal information outside the direct business relationship. The contract should also prevent the service provider from combining personal information received from the business with other personal information. Isabella Oldani noted a gap in the current controls under the General Data Protection Regulation (GDPR) and the code of conduct. She suggested amending the controls to specify that audits should be performed at least once every 12 months. A question was raised by Yuvaraj Madheswaran about finding relevant controls in the Pla and Annex, which Isabella Oldani clarified by directing him to the dizz tab a pla code of practice.
Code Amendment Guidance and Roles Discussion:
Isabella Oldani provided guidance to Yuvaraj on how to amend the code of practice in relation to the CCPA. She instructed him to review the requirements and suggest changes to fill any gaps. Yuvaraj agreed to make these changes and ensure they were completed by the next meeting. Additionally, Louis expressed his willingness to undertake the tasks assigned but requested to review his comments to confirm his understanding. Marina then transitioned the discussion to Louis's roles.
Contractor Terms and Data Sharing Discussion:
Isabella Oldani and Louis Pinault discussed the contractual terms of contractors, focusing on restrictions, certifications, and the prohibition of selling and sharing personal data. They identified a gap in the current contract terms and recommended revising them to ensure the contractor is also prohibited from sharing personal data. They also touched upon the definitions of "service provider" and "contractor" and how they overlap, but decided to focus on contractors for the time being. The conversation ended with an agreement to revisit the definitions and discuss the issue further in the next meeting.
Cloud Data Protection Compliance:
Louis and Isabella Oldani discussed the compliance of cloud customer data with data protection obligations, including the need for audits. Isabella Oldani clarified that an agreement between a cloud service provider and a controller is necessary to comply with Article 28 of the GDPR, which requires audits. She also highlighted that a breach of this regulation would be a violation. There was a concern raised by Louis about the potential for proprietary data to be shared with the cloud customer, which was left unresolved.
Contract, GDPR, Audit, Code of Conduct, CSA:
Isabella Oldani and Louis Pinault discussed the requirements of audits and scans in the contract they were reviewing. Isabella Oldani suggested that the contract's wording was not very specific, but that it generally aligned with the GDPR's requirements. They identified a potential gap in the time frame, with the contract requiring audits at least once every 12 months, which is more restrictive than the GDPR. Isabella Oldani also recommended looking into the CCP and spotting the differences between the contract and the business's other contracts. In a separate conversation, Marina brought up the adoption of a new code of conduct by the CSA and asked Isabella Oldani and Louis if their teams had been informed. Isabella Oldani agreed to inquire about this with her team. Additionally, Marina asked about the existence of a newer version of the code of conduct, which Isabella Oldani also promised to investigate.
Document Status and Assignment Discussion:
Marina and Isabella Oldani discussed the status of various roles in a document, identifying two roles (2, 28 and 2, 35) as unassigned and two others (2, 14 and 2, 15) as pending. They also discussed the use of red lines in the document to indicate missing inputs. Isabella Oldani suggested scanning the document again to ensure its accuracy. They agreed to assign room 269 for consistency and scheduled their next meeting for the twenty-seventh of February.
Previous action items:
In the Excel file: 2023_11_03_CPRA - PLA_CoP_Mapping (WiP)' document in tab "CPRA - PLA_CoC Mapping" : For cells in COLUMN J members need review the co-chairs' comments filled there and to fill in COLUMN L by either addressing the full gap or the partial gap as identified and as commented by the chairs in column J.
Next action items:
-
Louis will review his comments on the controls and gaps identified by Isabella and discuss them further
-
Isabella will think about the definition of service provider and discuss it in the next call.
-
Isabella will ask her team about the new code of conduct and version 4.5.
-
Isabella and Marina will review the document to assign roles and discuss pending ones
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------