While over the last several months, many have expressed concern about cloud service providers’ (“CSPs”) ability to comply with the General Data Protection Regulation (“GDPR”), at the end of November some clarity was provided. On November 30, 2016, the Cloud Select Industry Group (“C-ISG”) agreed on a Code of Conduct on Data Protection for CSPs (“CoC” or “code”) – to be published in the coming weeks (latest draft is available here) – which focuses on improving the transparency of CSPs and building consumer trust. The code, which outlines certain security measures for IT systems, data centers and cloud infrastructure that would meet GDPR security obligations, provides clarity for CSPs on what is expected under the GDPR.In April 2013, the Directorate-General for Communications Networks, Content and Technology, Software and Services, Cloud Unit, with representatives from major multinational companies established the C-ISG to develop standards for CSPs. Besides the CoC, the C-ISG is also working on two other key actions: developing standard guidelines for service level agreements, and a certification scheme. On January 19, 2015, the C-ISG submitted its first draft of the code to the Article 29 Data Protection Working Part (“WP29”) for their opinion pursuant to article 27 and 20 of the Data Protection Directive (95/46/EC). After reworking the CoC in line with the comments of the WP29’s opinion for nearly a year, the C-ISG is ready to finalize the code for implementation. The European Commission has determined that SRIW, a Berlin-based organization, will take over management of the CoC and the companies that agree to commit to the code.

Under Articles 40 and 41 of the GDPR, codes of conduct are explicitly recognized and encouraged as a way to meet security requirements. Article 32(3) (Security of Processing) states that “adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.” Therefore CSPs preparing for the GDPR should consider signing up to the CoC to be compliant with the Article 32 security requirements.

Once the final version of the CoC is published, CSPs can evaluate their current security measures under the code, whether they decide to commit or not, and determine what their next steps should be for GDPR compliance.