What is this standard about?
Devices such as tablets, smart phones and IoT sensors regularly send and receive data from the cloud – which is very useful. However it’s difficult for device users to know what data is flowing where; how it’s being processed; and for what purpose.
As a result, and in parallel, there’s a growing volume of regulation across the world mandating how personal data should be handled in digital environments. This standard was written with that regulation in mind.
It establishes common terminology and concepts so that cloud service providers can construct data use statements that clearly describe to device users how their data is being treated.
This in turn will help cloud services providers comply with personal data handling regulations like the EU’s General Data Protection Regulation (GDPR).
Who is this standard for?
- Cloud service providers
- Cloud service customers
- Cloud services users and device users
- Anyone involved in legal, policy, technical or other implications of data flows between devices and cloud services
Why should you use this standard?
This standard:
- categorizes the cloud services, the elements running on the devices and the data flows
- provides a taxonomy of data to allow a standardized description of the kinds of data flowing between devices and cloud services
- provides categorization of the kinds of data use that occur and a standard means of describing the handling of personal data (PII)
- defines a standardized form for "data use statements" which describe what processing is done with data, where it is done and for what purpose(s)
It will help cloud service providers clearly describe to service and device users how data is flowing and being processed in relation to cloud services and the devices using those services.
In the UK it is also particularly relevant in the context of the GDPR – which applies to the protection of personal data – because the standard gives cloud service providers a means of demonstrating the transparency (in terms of what data is being acquired, for what purposes, and how it’s being processed) that the GDPR requires.