Cloud services, the gateway to big, free-flowing and properly protected data? - 3 February 2015
We would like to extend an invitation to you to participate in a CiPP workshop on:
“Cloud services, the gateway to big, free-flowing and properly protected data?”
03 February 2015, 17:45 – 18:45, Brussels
Many innovative applications using cloud services and big data rely on trans-border data flows. Following the Snowden revelations and increased incidents or cyber-attacks, cloud security (including processing and storage locations) have become a very high priority for cloud providers, cloud customers and for regulators. This panel will share views on how the right balance can be struck between privacy and security considerations on the one hand, and securing the numerous benefits provided by innovative technologies on the other hand. As usual, the subsequent debate will allow you to voice your own perspective or concern under Chatham House rules.
Speakers (biographies are enclosed):
-Gwendal Le Grand, Director of Technology and Innovation, CNIL
-Achim Klabunde, Head of IT Policy sector, EDPS
-Ruth Cullinane, Data Protection & Privacy Manager, EMEA, Dell
-Mark Lange, Director, EU Institutional Relations, Microsoft and Chair, Cloud Council, DIGITALEUROPE.
When: 03 February 2015, 17:45 – 18:45.
14 Rue de la Science
Registration: The number of seats is limited. Please register online here before 30 January.
Register to the event
DIGITALEUROPE will demonstrate industry’s activities in this domain and the solid and positive impact Cloud Computing can make on the European economy. These workshops will demonstrate best practice and deep dive into the issues providing a powerful education platform for industry and political stakeholders to share information and discuss opportunities relating to the Cloud in Europe.
For more information on the Cloud in Practice Programme, do not hesitate to get in touch with us or visit our website: http://www.digitaleurope.org/Ourwork/BoostingDigitalGrowth/Cloudcomputin...
Cloud in Practice Programme - Workshop on ‘Cloud services, the gateway to big, free-flowing and properly protected data?’ – 3 February 2015
Gwendal Le Grand, Director of Technology and Innovation, Commission Nationale Informatique et Libertés (French DPA)
Achim Klabunde, Head of IT Policy sector, European Data Protection Supervisor
Mark Lange, Director, EU Institutional Relations, Microsoft and Chair, DIGITALEUROPE Cloud Council
DPAs make it a point to spread practical information meant to help their constituencies. For example, CNIL has articulated 7 steps worth pondering before taking action:
1. Identify the data and processing concerned
2. Define your own technical and legal requirements
3. Evaluate risk and design security to match
4. Ponder the current taxonomy of cloud offerings to pick a solution that fits your needs
5. Choose CSPs with sufficient guarantees
6. Adjust internal security processes
7. Check regularly if the services suit your needs.
The EDPS site too is worth a visit if you look for practical tips:
The very speed of ICT changes is a challenge for regulators. Think of the original taxonomy: public, private, hybrid; IaaS, PaaS, SaaS. Is it still relevant at a time when hybrid solutions enjoy the fastest growth? Will a reference to cloud still make sense in a few years?
Providers and users of cloud services should realize that signing up to codes or having secured the right certificates is no relief from liability. Indeed, shifting to the cloud does not suspend regular rules more than driving an electric car would dispense with abiding by the rules of the road. You need only consider the latest data breaches which struck companies that had all the right registrations. More broadly, legal requirements apply across the board and are not negotiable.
Regarding certification, diversity is not an issue: self-certification may fit some data and some controllers better than expensive auditing and vice-versa. ENISA or CSA branding will likely be felt as warranting confidence. Arguably, diversity may inform marketing as well, with aggregators offering multi-layered propositions depending on which type of security and control your data are eligible to. Such developments position data protection as a possible way to gain competitive advantage since a demonstrated ability to ensure compliance at all times cannot but inspire trust. There is widespread concern though that cost considerations may well drive SMEs into a corner where there is actually no choice.
Why not make codes and certification processes sector-specific? Though some contend that code proliferation will only spell confusion among CIOs, others argue that tailor-made instruments will be seen as the ultimate trust-building measures. Education is a case in point: some countries will demand extra-security features and a strictly defined stamp of approval depending on the part played by government in this particular area.
Assuming that the draft code is approved and enacted, complete with a governance structure, the time will come to sell it to potential signatories. It will be up to supporters of this code to secure proper evangelization.
The transition from the 1995 Directive to the GDPR shouldn’t raise major issues. While complying with the former piece of legislation the code is by and large GDPR-ready.