Cloud Industry Body Establishes New Data Protection Code of Conduct for Cloud Infrastructure Services

Members of Cloud Infrastructure Service Providers (‘CISPE’) – the united voice of cloud infrastructure providers covering 15 European countries – have signed up to a Code of Conduct (the ‘Code’) introduced on 27 January 2017. The Code will incorporate the demands of the impending European Union General Data Protection Regulation (‘GDPR’), in force from 25 May 2018 in the UK, whilst offering a framework to customers when choosing an infrastructure service specific to their needs as well as seeking to promote trust in the services provided by the service provider.

The Code is tailored to the provision of Infrastructure-as-a-Service (‘IaaS’). As asserted by CISPE, this will “improve the understanding of Iaas in the European Union by creating transparency”, “contribute to an environment of trust” and “will encourage a high default level of data protection” – the greatest beneficiaries expected to be SMEs as users and providers and public administrators.

The Code requires IaaS Providers as data processors to comply with a set of requirements covering data protection, transparency and adherence. It excludes the reuse of a customer’s data, allows Iaas Providers to process and store customer’s data exclusively in the EU and helps citizens regain control over their data. It also includes a governance structure that aims to support the implementation, management and evolution of the Code.

The Code is a voluntary instrument, allowing participating IaaS Providers to evaluate and demonstrate its adherence to the Code for one or several of its services. Certification comes in two forms (i) by an independent third party auditor(s) or (ii) by self-assessment following which the IaaS Provider may use the Code’s relevant compliance marks.

In practice, the Code is likely to improve clarity, certainty, trust and confidence in the field of cloud computing services and improve the often misunderstood distinction between the different cloud deployment models. That said, it is yet to be seen whether this will mark a discernible increase in business take-up of cloud services.

Sharpe Pritchard has a specialist data and technology team with an outstanding reputation amongst national and local public bodies and contractors. If you require any further advice in relation to the matters raised in this case or anything else concerning data or information law issues, we would be happy to hear from you.


This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.