Code of Conduct: An Effective Tool for GDPR Compliance

ShanShan Pa
Author: ShanShan Pa, Managing Director, State Street Alpha Technology Risk Management
Date Published: 18 January 2022

We are three+ years out from the EU General Data Protection Regulation (GDPR) taking effect. While many organizations are still new to or struggle with GDPR, a more recent milestone could shed light on this development for privacy practitioners and implementors.

In May 2021, with the blessing from the European Data Protection Board (EDPB) and the approval from the Belgium Data Protection Authority (DPA), the EU Cloud Code of Conduct became the first approved transactional code under the GDPR article 40 (Codes of Conduct) and article 41(Monitoring of approved codes of conduct). According to the GDPR, adherence to approved codes of conduct may be used as an element to demonstrate legal compliance. Since this code is for the cloud industry, a cloud service provider (CSP) could declare the adherence of the code to verify compliance and satisfy the requirements of Article 28 (Processor). User companies could also use it to evaluate and understand the compliance practice of a cloud service provider.

Let’s walk through the detailed anatomy of the code. The codeaims to provide practical guidance and define specific requirements per GDPR Article 28 for processors in the EU. It covers all types of cloud service models: SaaS, PaaS and IaaS. It is created to suit organizations of different sizes, from large to SMEs. An organization can declare its adherence to the code to demonstrate its GDPR compliance.

The body of the code is clearly described as follows with each section addressing a particular topic:

  1. Scope describes the field of application of the code including the intended use cases and the CSP’s cloud services to which it may apply. For example, it helps define the cloud service model in scope and the service type, such as public cloud, private cloud and hybrid cloud. Because cloud service models and types will have different responsibilities under GDPR, at the scope state, the code helps an organization to sort out the obligations and involved parties (especially if there is no personal data involved in the processing, it would be out of scope).
  2. Data protection describes the substantive rights and obligations of adhering to CSPs based on fundamental principles like purpose delimitations, data transfers, security, auditing, liability and data subject rights. This is the main section of the code where all requirements will be translated into each of the subsections such as Right to Audit, Rights of Data Subject, Sub-processor, etc. This part covers the complete lifecycle of the service from the beginning of the contract terms and agreement to the termination of the service agreement.

    For a complex regulation like GDPR, the code put itself into the implementer’s shoes and created a series of controls for each section. A complete control matrix is supplemented at the end of the code, serving as a workbook to assist implementers in navigating all the requirements:
  3. Figure 1

    Figure 2

  4. Security requirements describe how the adhering CSP must ensure that its cloud services to which the code applies meet a baseline of appropriate technical and organizational security measures. The code offers flexibility for a company to map their existing security practice to the requirements, such as ISO 27001, ISO 27018, ISO 27701, SOC 2, Cloud Computing Compliance Controls Catalog (“C5”), etc.
  5. Monitoring and compliance describe how the requirements of the code are monitored, CSPs’ compliance to the requirements of the code is ensured and complaints can be handled. This section is equally important because of the code’s transparency and independence. The code is managed and monitored by an independent monitoring body approved according to the GDPR article 41. The code offers different compliance levels tailoring to each organization’s needs.
  6. Internal governance describes how the code is managed, applied and revised including the roles and obligations of its governing bodies.

This first lighthouse project to a self-regulated industry-standard opened a new page for many industries’ specific codes of conduct. While the code currently is not to be used in the context of international transfers of personal data, the extended plan for the code is to finalize third-country transfer safeguard measures to complement the EU Cloud Code of Conduct and become a safeguard according to GDPR Article 46 (Transfers subject to appropriate safeguards). It will be interesting to see more tools and options for the market to utilize to achieve compliance and enable trust. 

Editor’s note: Participate in our Ask Me Anything online discussion with data privacy expert Cat Coode from 24-28 January and visit our Privacy Month page for new privacy resources from ISACA.

About the author: ShanShan Pa is Head of Compliance & Privacy, Alibaba Cloud (Americas & EMEA). She is an experienced compliance officer with a demonstrated history of working in a variety of industries. She is a strong compliance professional skilled in data privacy, security, enterprise risk management, internal audit and business process improvement.