Teal blue header image

New Data Protection Code of Conduct for IaaS Cloud Providers

Cloud Infrastructure Services Providers in Europe (CISPE) has issued a voluntary Data Protection Code of Conduct for IaaS cloud providers ('the Code').

The Code was published on 27 January 2017 and applies specifically to 'Infrastructure as a Service' (IaaS) providers. IaaS relates to the use of third party servers which host and facilitate customer data retention, back-up and transfers, a common example being Amazon Web Services.

The reason for the Code

The Code's two main purposes are to provide a data protection compliance framework for IaaS providers and to increase provider transparency (and, accordingly, customers' trust in cloud services). It also contains a section on governance to assist providers with the implementation and management of the Code.

A number of industry bodies, including the ICO and (from a consumer protection perspective) the CMA, have observed that cloud customers are struggling to keep informed with the increasingly dynamic growth of cloud services.

What the Code of Conduct does

  • Gives guidance on compliance with the incoming General Data Protection Regulation (GDPR) which takes effect from 25 May 2018, where the IaaS provider acts as a data processor.
  • Allocates data protection responsibilities between the IaaS provider and the customer.
  • Provides six objectives for the provider to meet the Code's transparency requirements, including a high-level statement on the IaaS provider's service standards regarding Confidentiality, Availability and Integrity (three concepts that the ICO covers in its Guidance on the use of cloud computing checklist).
  • Sets out provider adherence and customer complaints processes in relation to the Code.
  • Requires providers to offer customers the option to have their personal data stored and processed entirely within the European Economic Area.

What it doesn't do

  • An IaaS provider is not obliged to offer all of its services in accordance with the Code. The IaaS provider may choose to offer only a selection which it can certify adheres to the Code. Check the extent by which the services you intend to use are covered.
  • The Code does not apply where the IaaS provider processes data as a data controller.
  • The Code identifies data processing requirements but does not guarantee compliance with GDPR.
  • The voluntary Code is not a substitute for a binding service agreement, including GDPR compliant provisions, between the IaaS provider and the customer.

Cloud customers – practical steps

Check the CISPE public register to see which of your potential IaaS providers have signed up to the Code and for which services they provide.

Whether or not an IaaS provider has signed up to the Code, still consider using the Code as a basis for negotiations and best practice in the market:

  • assess the extent and value of the services you are aiming to receive;
  • ensure the proposed service agreement sufficiently covers any service descriptions/KPIs/failures and credits (instead of such information only remaining in any marketing/proposal documents, which are more likely to be general and fall short of clear contractual commitments); and
  • clearly allocate risk between the parties and draft the agreed position into the terms accordingly (particularly with regard to indemnities and any limits on liability).

Searching for the silver lining

The Code applies only to IaaS providers acting as a data processor. There is other information and guidance on cloud services and other types of cloud providers (such as Software as a Service providers), including the CMA report and ICO guidance as well as sector-specific cloud considerations (FCA Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services).

A review of these may affect any decision on the type of cloud service that suits a customer's commercial needs best and, as a result, how a service agreement can best meet those needs from a contract perspective.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Insights & events View all