The EU Cloud Code of Conduct: Apply GDPR Compliance Regulations to the Cloud

The CSA Security Update podcast is hosted by John DiMaria, Director of Operations Excellence at CSA. The podcast explores the CSA STAR program, cloud security best practices, and associated technologies. In this blog series, we edit key podcast episodes into shorter Q&As.

Today’s post explores how the European Union (EU) Cloud Code of Conduct can help cloud service providers comply with GDPR. Special guest Gabriela Mercuri of SCOPE Europe shares her insights. Take away valuable knowledge about the data security landscape and practical steps you can follow to ensure your organization is GDPR compliant.

Consider listening to the full podcast episode here.

---

John DiMaria: I'm thrilled to be here today for what promises to be an enlightening conversation on GDPR compliance in the cloud industry. Our guest today is Gabriela Mercuri, Managing Director of SCOPE Europe. Gabriela leads the development and implementation of self and co-regulatory tools in the digital sector. This includes the highly regarded EU Cloud Code of Conduct, a key framework for GDPR compliance and cloud services.

Today we're going to explore how tools like the EU Cloud Code of Conduct are instrumental in helping cloud providers navigate GDPR requirements. We'll take a closer look at how the collaboration between CSA and SCOPE Europe is enhancing transparency, trust, and compliance in the cloud industry. So with that, Gabriela, welcome to the show.

Gabriela Mercuri: Thank you very much, John. It's a pleasure to be here.

What are Codes of Conduct?

John: We have quite a diverse audience here, so we should probably start by just answering: What are codes of conduct under GDPR?

Gabriela: So starting with a little bit of background on SCOPE Europe. We are a Brussels-based organization established in 2017. We were made specifically to fulfill the requirements of Article 41 of GDPR - to act as a monitoring body of codes of conduct. But also more generally to host the development, negotiation, and implementation of codes of conduct for data protection.

Today we are the accredited monitoring body of two different codes of conduct under the GDPR. One at the European level, namely the EU Cloud Code of Conduct.

So let's rewind a little bit to the EU General Data Protection Regulation (GDPR). It was approved in 2016 and came into force in 2018. The goal with this regulation was to give individuals or data subjects control over their personal data. Personal data here being pretty much any type of data that might allow an individual to be recognized.

The bottom line with GDPR is that organizations must have a reason to keep personal data and they must prove that it's well protected. So GDPR is all about transparency and accountability.

Since it came into force, GDPR has significantly changed the way companies handle their personal data. Organizations must undergo significant efforts to implement quite robust technical and organizational measures to ensure that personal data is properly protected. Non-compliance can lead to extremely high fines. It is understandable that this caused a lot of fuss, a lot of fear, and now codes of conduct tailoring.

The idea of having codes of conduct in the first place comes from the fact that GDPR is a one-size-fits-all and principles-oriented regulation. That led to very vague provisions. This approach was really crucial. Regulators understood that they were about to rule highly innovative, data-driven industries that are quite complex and ever-evolving. They decided to stay away from technical elements to futureproof the regulation as much as possible.

Now on the other hand, the approach of having this general regulation, it causes a lot of legal uncertainty because those provisions are quite vague. There is a lack of specification and in clear steps to comply. They understood this core challenge and had already incorporated some tools into the GDPR itself. Codes of conduct are one of them. According to GDPR, codes of conduct can be drafted by associations and other bodies representing data controllers or processors. If these instruments are approved by data protection authorities, they can be used as legal proof of compliance.

The goal, as I said, is to specify the application of the regulation. There’s this misconception when it comes to the purpose of codes of conduct. A lot of people hear it's a “code of conduct,” so they think, “You have requirements on top of GDPR, you need to go beyond. Because the regulation is already there, otherwise what is the added value?”

But the answer is no, at least not necessarily. The regulation is quite clear on that aspect. The goal is to concretize the provisions. To say how you implement this within, let's say, the cloud industry. Now, a sector can choose to go beyond if they believe it's suitable. If for instance, they're processing high risk, highly sensitive data. Then it makes sense to have additional measures that go beyond GDPR.

So I think once we understand this background, that it's this exercise of specifying the general provisions against the background of those fines and legal uncertainty, it becomes quite clear why these compliance tools can be very helpful in the day-to-day.

What are Monitoring Bodies?

John: That leads me into wanting to get into a little bit more of the operational aspects of GDPR compliance. I want to concentrate on the EU Cloud Code of Conduct and the role of SCOPE Europe. Could you tell us about what monitoring bodies are under GDPR?

Gabriela: Happy to do so, it's our cup of tea. Codes of conduct are not new within the privacy environment. However, GDPR puts forward a much more robust framework by adding another article.

You have codes of conduct, which are under Article 40, and then you have the monitoring bodies under Article 41. This states that compliance must be overseen by an accredited independent third party, AKA the monitoring body. Therefore the approval of a code of conduct and the accreditation of its monitoring body are different processes. They walk hand-in-hand - a code only comes to life if both Article 40 and 41 are fulfilled.

So I would say the monitoring body is that last piece of the puzzle that helps reach legal certainty. It does not substitute the data protection authority. I like to make this clear as well. Basically, it works as an arm that helps proper application of GDPR on the day-to-day.

There's a quite good analogy that unfortunately is not mine. It came from the former chairman of the Belgium Data Protection Authority. He said that the monitoring body is like the video assistant referee in football, well, soccer for the American listeners. But the idea is you are not there to substitute the referee, but rather to help proper enforcement.

The monitoring body is there checking and verifying adherence. They make sure that companies that sign up to the code are properly implementing the measures needed to ensure the proper protection of personal data. So in a nutshell, that's the monitoring body's role within the whole equation.

What is the Collaboration between CSA STAR and the EU Cloud Code of Conduct?

John: We get a lot of inquiries about the collaborative aspect between the CSA STAR Registry, SCOPE Europe, and the EU Cloud Code of Conduct. From your perspective of things, what’s the purpose of this collaboration and how can it benefit cloud service providers and users?

Gabriela: To specify what it is a little bit more, the EU Cloud Code of Conduct concretizes the processing requirements under the GDPR, meaning Article 28 and all its related articles, to proper application across the cloud environment. This was the first European-wide code of conduct to be approved. And now it's still the only European-wide code of conduct that also covers all cloud service layers - IaaS, PaaS, and SaaS.

Knowing that CSA is a global leader in cybersecurity certifications, we discussed how we could explore the synergies between us. Although we are talking about privacy versus cybersecurity, those are two sides of the same coin. There is no privacy without cybersecurity and vice versa. The collaboration emerged from this shared commitment to advance cloud security and privacy.

I know this all sounds quite abstract, so let's go back to the concrete side. It allows for a more comprehensive and integrated approach to cloud compliance. Why? The CSA STAR Registry is already a broadly recognized platform where cloud users can assess cloud offerings and their existing certifications. Now, the EU Cloud Code of Conduct compliance mark is also integrated into the platform.

Whenever customers are looking for which cloud service provider to onboard, they can take a look at the CSA STAR Registry and have a very comprehensive picture when it comes to compliance. They can see which services have certifications for cybersecurity and for privacy. This really simplifies the life of cloud users. We know how cloud is already a very complex topic and it's a little bit of a black box—we'd like to do whatever we can do to facilitate risk assessments, which is very important for any business that is looking to onboard cloud services.

There is also a dedicated framework for cloud providers who wish to declare adherence to the EU Cloud Code of Conduct that are already in the CSA STAR Registry. They can declare adherence to the EU Cloud Code of Conduct via a special framework designed for them.

How Do I Declare Adherence to the EU Cloud Code of Conduct?

John: Having privacy and security together is so important. And this really enhances the transparency and trust of the organizations. It shows that they have some sort of privacy system in place, on top of being compliant with CSA STAR. What steps should a CSA STAR member take if they want to declare adherence to the EU Cloud Code of Conduct?

Gabriela: The first suggestion for any CSA STAR member that is interested in declaring adherence to the EU Cloud Code of Conduct would be to review the specific requirements. Once you download the Code, you’ll see that it is made of two different parts. The first one is the code text, and the second one is the controls catalog, which facilitates the implementation of the provisions.

Take a look at the code and the controls catalog to see where you are standing when it comes to the implementation of the code-specific technical and organizational measures.

Then, you can then submit the declaration of adherence through the EU Cloud Code of Conduct website. Once you do that, you will undergo an assessment which is conducted by the accredited monitoring body, SCOPE Europe. If you successfully complete the assessment process, the compliance statutes will be easily accessible in the EU Cloud Code of Conduct Public Register and the CSA STAR Registry.

John: Fantastic. To close out, what would be the best way for people to contact you or SCOPE Europe? What would be the best way for them to explore this further with you all?

Gabriela: Please feel free to go to the EU Cloud Code of Conduct website where are you can find our contact form to reach out if you have any questions. If you are a CSA STAR Registry member, feel free to reach out to the colleagues at CSA.

We are working with this collaboration very closely—there will be someone ready to clarify any questions you might have and to walk you through it in detail. We are happy to sit together and walk cloud service providers through the steps of compliance because we know it's a complex topic.

John: Fantastic. You can go to the Cloud Security Alliance website as well to look into it. If you want us to facilitate connections between you and SCOPE, you can also email us at [email protected] and we'll get you hooked up with the right people.

Gabriela, it was a distinct pleasure having you on show. Thank you so much for taking time out of your busy schedule to be with us. We'll definitely continue this conversation down the road.