Share this post:
Trust in cloud computing is essential for it to reach its full potential.
Surveys conducted on the European cloud market by IDC and others have identified concerns with security and data protection as the main inhibitors to cloud adoption. The European Commission was very much aware of the need to build trust when it launched the 2012 Communication on cloud computing. The commission rightly identified that data protection is core to developing trust and embarked on a strategy to build that trust. One action the Commission took, working with industry, was to create industry working groups on different topics. Among those was a working group on data protection and the development of a European Code under the Cloud Select Industry Group Code of Conduct.
The EU Code of Conduct has been developed to align with the EU’s General Data Protection Regulation (GDPR). As the May 2018 deadline approaches for EU member states to implement GDPR, signing up to the code sends a strong signal possible that an organization is well on its way to prepare for the new regulation.
The EU Data Protection Code of Conduct for cloud service providers is the result of more than 4 years hard work. It is a voluntary code of conduct foreseen under the GDPR which provides guarantees over and above the minimum legal requirement for the protection of data in the cloud.
The principle behind the code is to improve and simplify the relationship between cloud vendors and cloud users. When cloud service providers sign up to the EU Code of Conduct, they commit to implementing robust data privacy and security policies that will stand up to the changing privacy landscape ahead. The EU Code of Conduct is a quality seal: “trusted cloud made in Europe.”
Interestingly, such codes are now being perceived in the market as a way to approach GDPR — one way for cloud service providers to approach GDPR is to start early. Once GDPR is implemented it will be one of the ways to demonstrate compliance.
Such codes are more than mere marketing slogans. They are developed with transparency and independent governance in mind, just like an international accredited standard such as ISO. They must ensure access to all to avoid anti-competitive behavior, for example. They also have to be accessible to small and medium-sized companies who may not be able to afford full-blown certification. And rather like open standards, they have to be transparent in the way they are governed.
On the other hand, a code such as the EU Code of Conduct actually sits at a level above such technical certification requirements. It requires that objectives such as providing adequate security based on the risk profile are already met, for instance, through the ISO 27001 security standard or the ISO 27018 privacy norms.
Of course, the code does not replace the service contracts that cloud providers draw up with their customers. If you like, it sits alongside the contract as a sort of health check for the user, ensuring that important topics relating to data protection in the cloud are properly addressed. If the cloud provider puts items into the contract that are against the code, they violate the code.
The EU Code of Conduct is uniquely positioned:
- It is the only code that covers the full spectrum of cloud services, from software and platform through to infrastructure.
- It’s the only code which EU authorities have been involved in developing. It is the result of four years of collaboration between the European Commission and the cloud community, including industry. The EU’s Article 29 Working Party, representing national Data Protection Authorities, gave input to the code.
- It’s independently governed. Declarations are overseen by SCOPE Europe, an independent code monitoring body. SCOPE Europe will scrutinize cloud service provider applications to the code to check that they are compliant and monitor services continually that are certified against the code in line with GDPR requirements.
The EU Code of Conduct is open to cloud service providers of all sizes and from all cloud sectors who can commit to adhering to scrupulous data protection safeguards. Three of the global top five cloud service providers are members of the General Assembly and are working towards declaring services as the latest version of the code is published. Also, a prominent European SME Cloud Services Provider is at the heart of the committee. We cater for excellence, whatever your organization’s cloud delivery model or size.
Learn more about IBM regulatory compliance solutions.