Cloud Compliance Assessment

As part of our Professional Services portfolio, we offer a Cloud Compliance Assessment – an advisory service tailored to address regulatory compliance. Our Cloud Compliance Assesment focuses on certain key aspects of three sets of rules that are of particular importance when using cloud services:

• The General Data Protection Regulation (GDPR)
  • which governs the processing of personal data.
• The NIS2 Directive
  • which sets out cybersecurity requirements for organisations in scope; other organisations may also be affected indirectly.
• The ePrivacy Directive’s Article
  • governing the use of cookies and similar technologies on websites and newsletters.

How can a cloud compliance assessment help my organisation?

Cleura Compliance Assessment aims to:

1. Identify areas of concern regarding regulatory compliance.
   • In regards to certain key aspects of the GDPR, NIS2, and the ePrivacy directive when using cloud services.
2. Get insights and recommendations for immediate actions.
   • Actions that your organisation can and should take, here and now, to improve compliance with the GDPR, NIS2, and the ePrivacy directive.
3. Get insights and recommendations for structural changes.
   • Recommendations to improve compliance posture and ability to maintain regulatory compliance in the future.

What areas and topics does the cloud compliance assessment cover?

Cleura Compliance Assessment is an advisory service that consists of three modules. They are designed to review your organisation’s general compliance with certain key areas of the GDPR, NIS2, and the ePrivacy directive, in relation to using cloud services.

GDPR

The GDPR module covers key elements of processing personal data legally in the EU. The assessment is always tailored to your organisation’s specific needs, but is meant to address the following areas of the GDPR, related to your organisation’s use of cloud services:

• How your organisation should describe its data processing to individuals.
• Your organisation’s legal basis for data processing and its validity.
• If and how your organisation processes special categories of data.
• How your organisation can achieve purpose limitation.
• General guidance in performing data protection impact assessments.
• General guidance on use of data processing agreements.
• How your organisation meets its legal obligation to inform individuals.
• The role of the Data Protection Officer (DPO).
• Third country data transfers.
• Sharing data with cloud service providers.
• The use of AI.

NIS2

The NIS2 module covers key aspects of your organisation’s information security management system or other systematic cybersecurity work. Our experts look into your organisation’s risk appetite, allocation of responsibilities, and understanding of risk management measures’ aims and their proportionality. We also look at your procedures for identifying and reporting significant incidents, training, supervisory authority mandate and how cloud service provider security is assessed.

The EU NIS2 Directive applies to critical and important entities in both the private and public sectors. Organisations in scope must assess cybersecurity risks and implement measures to ensure an appropriate level of security, including in relation to recipients of the organisation’s services. National supervisory authorities are empowered with powerful tools and sanctions to enforce these rules.

ePrivacy Directive, Article 5(3)

The ePrivacy module analyses compliance with ePrivacy rules and supervisory authority (EDPB) guidelines for use of cookies and similar technologies. The analysis is based on technical data from a page analysis of the your organisation’s website, and newsletter if applicable, collected with a readily available tool. This module also covers compliance with ePrivacy rules requiring consent for direct marketing, e.g. by email or sms, and use of soft opt-in in the context of a sale.

What is not included in our Cloud Compliance Assessment?

Our assessment explicitly focuses on governance. Our Cloud Compliance Assessment does not include a technical review of specific IT security measures, and while many relevant compliance aspects are covered, the service does not constitute legal advice.

How does a cloud compliance assessment work?

Step 1 – Information gathering

A Cloud Compliance Assessment begins with an information-gathering step, where the customer’s existing pain points and areas of particular interest are established, followed by interviews with key customer personnel and a review of customer documentation.

Step 2 – Assessment

Our experts will review the gathered information and ask follow-up questions to get an overall picture of the current situation.

Step 3 – Reporting

Key findings will be summarised in a report that will be presented, and delivered to your organisation. The report includes:

• Key findings
• Recommendations for immediate action
• Recommendations for structural changes

Step 4 – Follow-up

The last step in our Cloud Compliance Assessment is a follow-up meeting. During this meeting, our subject matter expert will help answer questions and give advice on matters that may have arisen during your organisation’s implementation of the recommendations in the report.

What are the delivery components in the Cloud Compliance Assessment?

The Cloud Compliance Assessment includes:

• Delivery of a report
  • containing a compliance assessment and recommendations for immediate actions and structural changes related to key aspects of the GDPR, ePrivacy and/or NIS2, especially related to the use of cloud services.
• A presentation of the report
  • a 1-hour presentation to e.g. upper management, legal, compliance and security staff, IT department, website editors, or others, where questions can be asked and answered.
• A follow-up meeting
  • to give advice and answer questions that may arise during implementation.

How much does a compliance assessment cost?

Package: Compliance assessment package covering the GDPR, ePrivacy and NIS2 has an indicative price of 25,000 SEK, a savings of 5,000 SEK compared to purchasing each assessment separately.

Separate: Compliance assessments may be purchased separately at the following indicative prices.

• GDPR: 15,000 SEK, including 8 hours of work for interviews and to review customer documentation.
• NIS2: 10,000 SEK, including 5 hours of work for interviews and to review customer documentation.
• ePrivacy: 5,000 SEK.

Cleura and the customer will set out the compliance assessment’s scope and price in an agreement before a commitment is made. A bigger or smaller service scope (e.g. depending on the number of hours for interviews and amount of documentation to review) can affect pricing.