Cloud Infrastructure Services Providers in Europe (CISPE) has issued a voluntary Data Protection Code of Conduct for IaaS cloud providers ('the Code').
The Code was published on 27 January 2017 and applies specifically to 'Infrastructure as a Service' (IaaS) providers. IaaS relates to the use of third party servers which host and facilitate customer data retention, back-up and transfers, a common example being Amazon Web Services.
The Code's two main purposes are to provide a data protection compliance framework for IaaS providers and to increase provider transparency (and, accordingly, customers' trust in cloud services). It also contains a section on governance to assist providers with the implementation and management of the Code.
A number of industry bodies, including the ICO and (from a consumer protection perspective) the CMA, have observed that cloud customers are struggling to keep informed with the increasingly dynamic growth of cloud services.
Check the CISPE public register to see which of your potential IaaS providers have signed up to the Code and for which services they provide.
Whether or not an IaaS provider has signed up to the Code, still consider using the Code as a basis for negotiations and best practice in the market:
The Code applies only to IaaS providers acting as a data processor. There is other information and guidance on cloud services and other types of cloud providers (such as Software as a Service providers), including the CMA report and ICO guidance as well as sector-specific cloud considerations (FCA Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services).
A review of these may affect any decision on the type of cloud service that suits a customer's commercial needs best and, as a result, how a service agreement can best meet those needs from a contract perspective.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.