Tech & Sourcing @ Morgan Lewis


Data owners and processors are working hard to make sure they have compliance programs in place by the time the European Union’s General Data Protection Regulation (GDPR) goes into force on May 25, 2018. To that end, a new resource was released last week to help evaluate the level of data protection offered by cloud service providers (CSPs).

On November 21, the Cloud Security Alliance (CSA), an organization dedicated to defining and raising awareness of best practices for a secure cloud computing environment, released the CSA Code of Conduct for GDPR Compliance (CoC) to provide CSPs and current and potential cloud customers with guidance on compliance obligations under the GDPR. The CSA also launched the GDPR Resource Center, a “community-driven website with tools and resources to help educate” CSPs and enterprises on the GDPR.

According to the CSA, the CoC has two primary purposes: (1) to provide “cloud customers of any size with a tool to evaluate the level of personal data protection offered by different CSPs (and thus to support informed decisions)”; and (2) to provide “CSPs of any size and geographic location with a guidance to comply with European Union (EU) personal data protection legislation and to disclose, in a structured way, the level of personal data protection they offer to customers.”

To achieve these purposes, the CoC provides a technical standard that specifies the application of GDPR requirements in a cloud computing environment (the “Privacy Level Agreement Code of Practise”), with a focus on the following categories:

  • The processing of personal data in a fair and transparent manner
  • The information that is provided to data subjects and to the public
  • The rights of data subjects and how those rights are exercised
  • The measures and procedures described in Articles 24 and 25 of the GDPR and the measures to ensure the security of data processing as set forth in Article 32 of the GDPR
  • The notification of personal data breaches to supervisory authorities and the communication of breaches to data subjects
  • The transfer of personal data to third countries

This Privacy Level Agreement is set forth in a template that is intended to be used as an appendix to a cloud services agreement that clearly describes the data protection and privacy practices that a CSP maintains with respect to data processing.

The CoC also includes a governance structure with certification and adherence mechanisms, such as templates for self-assessments by CSPs and third-party certifications.

The CoC should be a useful tool both for CSPs seeking to achieve GDPR compliance and cloud customers evaluating and overseeing the data protection practices of CSPs.

The CoC can be downloaded for free on the CSA website.