Organize your compliance in the cloud

Being accountable or responsible for organizing compliance with policy, legal and contractual obligations is an important theme for management. Of course there are the usual tax, commercial, statistical and banking obligations. There are also obligations that are being tightened up further, such as organizing information security and protecting personal data. We see a steady growth of sectoral and incidental obligations that companies must comply with by law. Liability and cost risks are increasing for some companies and there is a need for an integrated compliance approach.

Organizing IT cloud compliance is a special and fundamental business activity because safeguarding information security and protecting personal data is necessary for the continuity of business operations and being able to organize a more integrated compliance approach. It is the usual companies like Microsoft, Amazon and Google that provide IT cloud services to businesses. When describing this service, we limit ourselves to compliance in the cloud.

How can we help you?

Do you have questions about organizing, implementing or expanding your business (compliance) function? Our service owner, Caroline Willemse or her colleagues, would be happy to discuss your specific case.

Companies outsource their IT support of business processes to cloud suppliers. The degree of outsourcing determines the company. We are familiar with cloud services such as IaaS, PaaS or SaaS or a mix of these. With SaaS, the cloud supplier takes most of the responsibility (think of an accounting package in the cloud). For example, with an IaaS, the company uses the hardware and system software of the cloud provider. The company organizes its own environment and takes full responsibility for the effective functioning of the infrastructure.

Depending on the nature and size of the business activities, a company formulates the baseline that it and the cloud suppliers must comply with. For example, the company must demonstrate that its security and control measures effectively protect its personal and business data as required by the GDPR.

Company is and remains ultimately responsible

Regardless of which cloud variant a company purchases, the company is and remains responsible for protecting its business and personal data. So, also the processing that is carried out by the cloud suppliers. There is a chain liability. The large cloud providers provide an accountability report (often with certificates) for this that can be assessed by the company and included in its own accountability.

The compliance officer plays a desirable and necessary role in compiling the accountability for organizing compliance with policy, legal and contractual obligations.

The same applies to the providers of services purchased from companies that offer cloud services on the infrastructure of the large cloud providers (ICP). Before such a service is purchased, it must be established that compliance on this part is possible, so that compliance remains possible throughout the chain.

Cloud suppliers often offer the compliance officer a role with an effective set of instruments to effectively organize compliance management.

The Data Protection Officer

From 2016, the European General Data Protection Regulation (GDPR) comes into effect. Many companies have appointed a DPO, whether or not they are required to do so. The DPO has supervisory and operational compliance tasks that are supported by more and more cloud services. Cloud suppliers provide a DPO role that allows the DPO to organize her tasks effectively.

Microsoft 365 and Azure tenant

An example of a cloud supplier that explicitly takes risk and compliance management into account, as well as the work of a DPO is Microsoft.

To perform compliance, Microsoft offers 365 Purview. Purview is an integrated data management solution that can manage on-premise, multi-cloud and SaaS data. It offers automated data discovery, classification of sensitive data and end-to-end data origin, among other things.

It offers the possibility to perform the assessment with various available standards frameworks (such as ISO27001, AVG) but also with your own standards framework. As a result, overlap of activities can be prevented, because each framework of standards often has a slightly different approach, and demonstrability is available so that additional records can be made.

In addition to the DPO, there is the cloud application in MS 365 and Azure cloud Microsoft Priva Privacy Risk Management.

Our professionals follow training courses from Duthler Academy and from cloud suppliers, such as Microsoft. With this, our professionals continue to expand their knowledge and gain experience in the roles of risk manager, compliance officer and DPO at various companies. For some companies, our professionals fulfill combinations of these roles.

Sometimes a company wishes to develop risk management and pay attention to the protection of personal data. The professionals formulate policy and build up knowledge and change management using the training programs of Duthler Academy.

Using the tools of the cloud vendors, our professionals fulfill their role effectively. For example, applying the Security Center, Defender or Sentinel in MS 365 and Azure tenants.

More about compliance in the cloud

Do you have questions or need an appointment?

Do you have questions about organizing, implementing or expanding your compliance in the cloud? Our service owner, Caroline Willemse or her colleagues, would be happy to discuss your specific case.