Home Global A Malaysian Cloud Code of Conduct?

A Malaysian Cloud Code of Conduct?

by GEORGE MATHEWS
239 views

The Malaysian Communications and Multimedia Commission (MCMC) said on October 16, 2021 that it will adopt light touch controls on cloud services beginning January 1, 2022, but that they will not be fully implemented until April 1, 2022. The draft Cloud Service Regulation has yet to be made public.

The new regulation’s foundation, according to the MCMC’s Advisory Notice (FAQs) on the Cloud Service Regulation, is to address data integrity and security problems arising from increased use of cloud services, as well as to offer sufficient legal protection to users and relevant public bodies.

The MCMC also believes that through licencing cloud service providers, it will be able to set industry technical standards that can only be enforced through licencing. These standards are meant to ensure that cloud service providers follow best practises.

EU Cloud Code of Conduct

Following the Belgian Data Protection Authority’s submission, the European Data Protection Board (EDPB) approved the EU Cloud Code of Conduct on May 19 last year, with the Belgian Data Protection Authority’s final approval.

The Code is now the first pan-European code of conduct for cloud service providers (CSP) that addresses requirements under Article 40 of the GDPR for all cloud products.

Applicability of the Code

The Code applies to all cloud service delivery models, including IaaS, PaaS, and SaaS. The Code is appropriate for businesses that provide many types of cloud services because of its broad approach.

The Code only applies to B2B cloud services where the CSP is acting as a processor under Article 28 of the GDPR, not to B2C services or other processing activities where the CSP is acting as a data controller.

Customers of cloud services may still find the Code useful because it provides an additional guarantee of compliance when entrusting adhering CSPs.

The Code facilitates GDPR compliance

The Code is made up of a collection of requirements that CSPs must follow in order to comply with it. These requirements are backed up by a Controls Catalogue, which aids in conformity assessment by mapping the required auditable parts (dubbed “controls”) and providing a list of the Code’s requirements with comparable GDPR rules and applicable international standards.

The Code does not take the place of a contract between a CSP and a customer, but CSPs must ensure that the provisions of their Cloud Services Agreement are in compliance with the Code. The Code includes a set of data protection principles targeted to cloud computing services, including:

  • Lawfulness of processing: adherence to the data controller’s instructions and establishment of a documented procedures to comply with duties and internal communication mechanisms;
  • Sub processing: rules on engaging a new sub processor including documented procedures for implementing the flow of the same data protection obligations and appropriate technical and organisational measures down the processing chain;
  • International transfer of customer personal data: ensuring CSPs will adequately communicate transfers to customers, but this Code does not reflect the Code of Conduct as per Article 46 GDPR on third-country transfers.
  • Right to audit: implementing appropriate and accessible mechanisms for providing evidence of compliance to customers with established confidentiality obligations;
  • Liability: stating that customers have a right to pursue the liability regime of the Cloud Services Agreement and of Chapter VIII (remedies and liability) of the GDPR;
  • Customer cooperation: in exercising their rights;
  • Assistance for personal data breaches: this assistance includes establishing reporting procedures, specifying data breach notification obligations, and ensuring that the customer can retrieve personal data promptly and without hindrance in a common structured format.

Demonstrate different levels of compliance

The Code has a three-tiered framework, with three different levels of compliance. All provisions of the Code must be followed by all companies at all levels. The various levels are determined by the proof of compliance presented to the Monitoring body, and each Level of Compliance builds on the preceding levels. The levels are as follows:

First Level of Compliance: performance of an internal review and documentation of implemented measures to comply with Code requirements.

Second Level of Compliance: First Level of Compliance with partially supporting independent third-party certificates and audits with specific relevance to the cloud service that is declared adherent. The ‘Controls Catalogue’ section gives guidance on third-party certificates and audits offering equivalent level of compliance (e.g. ISO, SOC 2 and C5:2016 standards).

Third Level of Compliance: compared to the Second Level of Compliance, this level of compliance is fully supported by independent third-party certificates and audits conducted with specific relevance to the cloud service that is declared adherent.

Monitoring of adherence

Scope Europe, a non-profit organisation based in Belgium, is the Code’s owner. The approved Monitoring Body that will check compliance with the Code is SCOPE Europe. Verification takes place through an initial assessment, repeated evaluations at least once every 12 months, and ad hoc assessments when the Monitoring Body deems it necessary.

Governance and organisational framework

A General Assembly, Steering Board, Code Supporters, and Secretariat are all part of the Code’s governing structure. The General Assembly of the Code is made up of the organisations that make up the Code. The original members (Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce, and SAP) are members of the General Assembly, as are all other members whose application to join was granted.

In the General Assembly, Code Supporters (such as user organisations, consumer protection organisations, industrial groups, government entities or agencies, supervisory authorities, academics, or consulting firms) do not have voting rights.

Becoming adherent to the Code

A corporation must be a member of the General Assembly to demonstrate adherence. Companies are not expected to be instantly compliant with the Code after joining, but they should demonstrate and report compliance within a reasonable timeframe.

A Declaration of Adherence Agreement must be signed by members, as well as a one-time adherence fee. There are two membership types available: a full membership with voting rights and two membership programmes for mid-sized and small businesses without voting rights.

Benefits of adherence to Code

Currently, there are only a few companies that follow the rules (e.g. Google Cloud, Microsoft, IBM, or SAP). However, because the Code sets an accepted best practise for applying data protection regulations in the cloud computing environment, it is anticipated that it will rise in prominence and become a standard that cloud service customers will expect in the near future.

Adherence can help cloud service providers and enterprises using cloud services in a variety of ways:

  • Credibility: joining the Code General Assembly shows robust commitment to data protection and compliance.
  • Trust: adherence to a self-regulation tool accompanied with regular and independent monitoring fosters trust of customers in companies and their services.
  • Transparency: The Code requires high-level of transparency and outlines the requirements on what information needs to be provided to customers. These information requirements go beyond what is required by the GDPR.
  • Accountability: the CSP can demonstrate adherence to the Code according to data processor compliance requirements as set out down in Article 28 of the GDPR.

Final Thoughts

‘Malaysia Vision Without Execution Is Hallucination ‘

When you’re clear in your company purpose–your “why,” as leadership author Simon Sinek puts it–your strategic direction becomes self-evident.

As Thomas Edison said, “Vision without execution is hallucination.” It’s all fine and good to have vision. It’s all fine and good to know your why, but if you can’t execute it, then it’s no value whatsoever. Even organizations that have a clear sense of why, that have a clear sense of why they exist, their purpose, cause, or belief that defines their very existence, the challenge still exists of, “Okay. Now that I know that, how do I implement it?”

When we’re clear on the why, the strategic decisions that we can make after that become much simpler. Take Steve Jobs for example, he believed that technology should seamlessly integrate into our lives and that we shouldn’t have to change the way we live our lives to fit technology. Technology should fit how we live.

This is the reason why simplicity mattered. This is the reason why design mattered. This thing that he believed was so important that it drove all his decisions. It set their strategy. It also is what allowed for all the innovation.

When we’re clear in our why, the strategic directions that we choose becomes so self-evident even if they are expensive. There’s nothing efficient about innovation. Innovation is the application of technology to solve problems, but you must know which problem you’re setting out to solve.

Related Articles

We use cookies to improve user experience, and analyze website traffic. For these reasons, we may share your site usage data with our analytics partners. By clicking “Accept Cookies,” you consent to store on your device all the technologies described in our Cookie Policy. Accept Read More

ESPC on the go

FREE
VIEW