GDPR and codes of conduct in SaaS

Our ICT team consider of some of the codes of conduct used by software as a service (SaaS) providers in light of the implementation of the GDPR since May 2018.

This article was first published on Lexis®PSL TMT on 17 January 2019.

What major codes of conduct (or the like) may be used by SaaS providers to demonstrate compliance with requirements of the GDPR?

The EU Cloud Code of Conduct allows self-evaluation/declaration or third–party certification of compliance with requirements which mirror the General Data Protection Regulation (EU) 2016/679 (GDPR) obligations (contained in Article 28 of the GDPR) imposed on data processors. The Code is voluntary but it contains guarantees over and above the minimum legal requirements for protection of data in the cloud, alongside a commitment to implementing the ‘technical and organisational measures’ required with regards to data security under the GDPR.

The Cloud Security Alliance (CSA) Code of Conduct provides a ‘consistent and comprehensive framework for complying’ with GDPR. This Code provides a template to be followed by SaaS providers, which can be adapted to fit any model of provider regardless of size or their status as a processor or controller under the GDPR. It provides a mechanism to allow a cloud provider to demonstrate compliance with the Code as well as assuring clients of their compliance with the GDPR conditions more generally.

The Code of Practice for Cloud Service Providers was updated by the Cloud Industry Forum in September 2017 to incorporate GDPR requirements. This Code provides a checklist for best practice in the provision of cloud services and allows providers to assess themselves against developed standards amongst their peers.

A further code of conduct used by some large providers such as Amazon, is the Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct, which has a dual role in assisting providers in their compliance with the GDPR and avoiding penalties, while also offering a framework to help customers select trustworthy providers that are using appropriate data protection standards. The focus of this Code is on restricting data storage and transfer locations to only those in the EEA, given that the Code enforces customer choice about where their data is stored and ensures that such data is processed solely within the EEA. SaaS providers are also required to commit to strict provisions regarding the use of personal data by prohibiting profiling or direct marketing.

Read the full article

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.