September 29, 2022

Volume XII, Number 272


September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

September 26, 2022

Subscribe to Latest Legal News and Analysis

Cloud Security Alliance Releases Code of Conduct for GDPR Compliance

Data owners and processors are working hard to make sure they have compliance programs in place by the time the European Union’s General Data Protection Regulation (GDPR) goes into force on May 25, 2018. To that end, a new resource was released last week to help evaluate the level of data protection offered by cloud service providers (CSPs).

On November 21, the Cloud Security Alliance (CSA), an organization dedicated to defining and raising awareness of best practices for a secure cloud computing environment, released the CSA Code of Conduct for GDPR Compliance (CoC) to provide CSPs and current and potential cloud customers with guidance on compliance obligations under the GDPR. The CSA also launched the GDPR Resource Center, a “community-driven website with tools and resources to help educate” CSPs and enterprises on the GDPR.

According to the CSA, the CoC has two primary purposes: (1) to provide “cloud customers of any size with a tool to evaluate the level of personal data protection offered by different CSPs (and thus to support informed decisions)”; and (2) to provide “CSPs of any size and geographic location with a guidance to comply with European Union (EU) personal data protection legislation and to disclose, in a structured way, the level of personal data protection they offer to customers.”

To achieve these purposes, the CoC provides a technical standard that specifies the application of GDPR requirements in a cloud computing environment (the “Privacy Level Agreement Code of Practise”), with a focus on the following categories:

  • The processing of personal data in a fair and transparent manner

  • The information that is provided to data subjects and to the public

  • The rights of data subjects and how those rights are exercised

  • The measures and procedures described in Articles 24 and 25 of the GDPR and the measures to ensure the security of data processing as set forth in Article 32 of the GDPR

  • The notification of personal data breaches to supervisory authorities and the communication of breaches to data subjects

  • The transfer of personal data to third countries

This Privacy Level Agreement is set forth in a template that is intended to be used as an appendix to a cloud services agreement that clearly describes the data protection and privacy practices that a CSP maintains with respect to data processing.

The CoC also includes a governance structure with certification and adherence mechanisms, such as templates for self-assessments by CSPs and third-party certifications.

The CoC should be a useful tool both for CSPs seeking to achieve GDPR compliance and cloud customers evaluating and overseeing the data protection practices of CSPs.

The CoC can be downloaded for free on the CSA website.

Copyright © 2022 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VII, Number 334

About this Author

Peter Watt-Morse, Morgan Lewis, Intellectual property lawyer

Peter M. Watt-Morse, one of the founding partners of the firm’s Pittsburgh office, has worked on all forms of commercial and technology transactions for more than 30 years. Peter works on business and intellectual property (IP) matters for a broad range of clients, including software, hardware, networking, and other technology clients, pharmaceutical companies, healthcare providers and payors, and other clients in the life science industry. He also represents banks, investment advisers, and other financial services institutions.

Christopher Archer, Corporate Transactions Attorney, Morgan Lewis

Christopher C. Archer focuses his practice on outsourcing, strategic technology, and commercial transactions. He regularly assists clients with global outsourcing deals that span a wide range of business processes, including information technology, finance and accounting, procurement, and other core and non-core functions. His work includes advising and supporting clients through each phase of an outsourcing transaction, from the RFP process through contract negotiations. He also drafts and negotiates licensing agreements, including cloud-based software license...