Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Working Group

Privacy Level Agreement

This group monitors the legal and regulatory landscape and performs research in the area of privacy and data protection compliance for cloud computing services at a global scale. Currently the group is working to extend the scope of the GDPR Code of Conduct in order to satisfy the data protection/privacy requirements in other relevant countries/states.
Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - September 2020)
Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - September 2020)

Download

Privacy Level Agreement
How do privacy and security overlap?
In most aspects of the collection, use or processing of personal data, privacy and security functions overlap or coexist to some extent and at times use similar tools. Privacy and security professionals should regularly communicate to ensure that they understand each other’s responsibilities, needs, capabilities, and limitations; and keep track of the changes to the ecosystem in which the personal data is used by their organization. They also need to ensure that their efforts complement, and do not conflict with, each other, so that they can enable their organization to meet its objectives in the most efficient and cost-effective, manner.

Cloud Service Providers (CSPs) will be responsible for self-determining the level of protection required for the personal data they process.
Data protection compliance is becoming increasingly risk-based. Data controllers and processors are accountable for determining and implementing in their organisations appropriate levels of protection of the personal data they process. In such a decision, they have to take into account factors such as state of the art of technology; costs of implementation; and the nature, scope, context and purposes of processing; as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. To help address these challenges CSA created the CSA Code of Conduct for GDPR Compliance. It aims to provide Cloud Service Providers (CSPs) and cloud consumers a solution for GDPR compliance and to provide transparency guidelines regarding the level of data protection offered by the CSP. The code can be used to submit a self-assessment to the CSA STAR Registry.

Related training available through CSA.
CSA also offers a course that trains lead auditors & consultants in the CSA GDPR Code of Conduct and the CSA GDPR Certification. This training is led by Prof. Dr. Paolo Balboni (Founding Partner of ICT Legal Consulting). You can learn more about this course here 

Working Group Leadership

Marina Bregkou
Marina Bregkou

Marina Bregkou

Senior Research Analyst, CSA EMEA

Daniele Catteddu
Daniele Catteddu

Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, ...

Read more

Working Group Co-Chairs

Paolo Balboni
Paolo Balboni

Paolo Balboni

Founding Partner of ICT Legal Consulting, President of the European PrivacyAssociation Professor of Privacy, Cybersecurity, and IT Contract Law at theEuropean Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law.

Paolo Balboni (qualified lawyer admitted to the Milan Bar) is a FoundingPartner of ICT Legal Consulting (ICTLC),a law firm with offices in Milan, Bologna, Rome, an International Desk inAm...

Read more

Isabella Oldani Headshot Missing
Isabella Oldani

Isabella Oldani

Martim Taborda Barata
Martim Taborda Barata

Martim Taborda Barata

Martim is a Partner at ICTLC – an international law firm specializing in information and communication technology, privacy, data protection/security, and intellectual property law – having accumulated over 5 years of practical experience in these areas throughout his career. His primary focus is managing privacy and data protection compliance strategies for multinational clients (including organizations in the courier and mail delivery, fin...

Read more

Publications in ReviewOpen Until
Context-Based Access Control for Zero TrustNov 27, 2024
Fully Homomorphic Encryption: A Comprehensive Guide for Cybersecurity ProfessionalsDec 06, 2024
AI Organizational Responsibilities: AI Tools and ApplicationsDec 08, 2024
Zero Trust Guidance for Small and Medium Size Businesses (SMBs)Dec 15, 2024
View all
Who can join?

Anyone can join a working group, whether you have years of experience or want to just participate as a fly on the wall.

What is the time commitment?

The time commitment for this group varies depending on the project. You can spend a 15 minutes helping review a publication that's nearly finished or help author a publication from start to finish.

Open Peer Reviews

Peer reviews allow security professionals from around the world to provide feedback on CSA research before it is published.

Learn how to participate in a peer review here.

Context-Based Access Control for Zero Trust

Open Until: 11/27/2024

The document "Context-Based Access Control for Zero Trust" provides guidance on implementing context-based access control (...

Fully Homomorphic Encryption: A Comprehensive Guide for Cybersecurity Professionals

Open Until: 12/06/2024

The document Fully Homomorphic Encryption: A Comprehensive Guide for Cybersecurity Professionals serves as an in-d...

AI Organizational Responsibilities: AI Tools and Applications

Open Until: 12/08/2024

The integration of LLMs and Generative AI introduces vital security considerations across development and deployment proces...

Zero Trust Guidance for Small and Medium Size Businesses (SMBs)

Open Until: 12/15/2024

In an increasingly digital world, small and medium-sized businesses (SMBs) are facing heightened security challenges, makin...