This article was published in CPO Magazine:
Since GDPR is applicable as of end of May this year, the practical interpretation and implementation of Europe’s new – and in many areas very vague – privacy rules were heavily discussed. Within these discussions, it is sometimes overlooked that the GDPR itself offers solutions to handle the legal uncertainty coming with the new regulation: Codes of Conduct and Certifications.
Policy makers often face enormous challenges when regulating privacy in the digital sector, given the high speed of innovation and fast-changing business models in comparison to the long and lengthy decision-making procedures of a legislative process. Taking the GDPR as an example: the original proposal of the regulation by the European Commission was published in January 2012, a time when technologies like Artificial Intelligence and blockchain were not yet part of the policy debate. To address the dynamics of this fast-paced sector, the regulator knew that any attempt to regulate every single detail of existing technologies will mean that the GDPR would be outdated the day it enters into force and might block future innovation since some of the regulatory details might not fit new technologies. Against this background, a very reasonable decision was taken: focusing purposely on establishing goals which have to be reached when handling personal data, but staying rather vague when it comes to the way these goals are reached. And then, offering tools for the relevant stakeholders (e.g. data protection authorities and the industry) to define the exact implementation in practice. In other words, the regulator defined “what” needs to be achieved and left the “how” to stakeholders who are closer to the technologies in practice.
Looking for example at the lawfulness of processing, the conditions for consent or the security of processing, GDPR states high-level goals with regards to protecting personal data. How exactly these objectives should be achieved can be defined in a Code of Conduct.
Looking deeper into this solution to legal uncertainty: Organizations, associations or collective bodies can develop a Code of Conduct to concretize the vague provisions of GDPR for their specific sector and business needs (Art. 40). As long as the respective legal obligations are fulfilled, a Code of Conduct can adopt innovation-fostering processes, best practices and state-of-the-art technical and organizational solutions. In addition to the Code itself, GDPR requires an on-going monitoring mechanism to ensure alignment with the respective Code (Art. 41). This continuous review system must be based on transparent and independent procedures and executed by an approved Monitoring Body.
If the requirements for both the Code and it’s monitoring scheme are fulfilled and approved by the Supervisory Authorities, organizations can achieve facilitated proof of GDPR compliance within the scope of the respective Code of Conduct. The oversight will be performed by the approved independent monitoring body, in addition to enforcement by the regulator. This on-going monitoring aspect also differentiates a Code of Conduct from Certification (Art. 42 and 43), another compliance tool under GDPR. Usually based on singular third-party assessments, Certificates check compliance on premise at a specific moment in time while the monitoring of a Code of Conduct is conducted continuously over a period of time but won’t be performed on premise in many cases or without any reason caused by an incident. For instance, a continuous check of compliance by the monitoring body can be done through the analysis of documents which prove the implementation of the requirements of a Code of Conduct. This can also be combined with a special ad hoc assessment in case the monitoring body receives an anonymous hint or media reports indicate that an adherent company or organization violated the respective Code of Conduct.
Once approved, a Code of Conduct offers not only legal certainty to adhering organizations. Resources can also be saved, for instance, adjustments of already implemented, non-compliant processes, and reduce the risks of getting fined. And, probably one of the most important advantages for businesses, the introduction of Codes of Conduct gives organizations the unique opportunity to interpret and concretize GDPR for their specific sector and needs. This does not only trigger a practical implementation of Europe’s new data privacy rules overall; it also enhances trust and strengthens the protection of personal data while safeguarding innovation-friendly solutions for businesses and organizations.
The EU Data Protection Code of Conduct for Cloud Service Providers (short: EU Cloud Code of Conduct) is a best practice example of how stakeholders can use this new regulatory tool to foster GDPR implementation. Following a close collaboration between the Cloud Select Industry Group and the European data protection regulatory bodies, a consortium of cloud service providers (CSPs) formed the General Assembly of the EU Cloud Code of Conduct and worked out a framework enabling CSPs to demonstrate their capability to comply with GDPR. In particular, the EU Cloud Code of Conduct offers cloud specific approaches and procedures, incorporating best practices from the Code member companies and interlinking the Code text to European and international security and data privacy certification schemes and standards. The example of the EU Cloud Code of Conduct shows how a group of organizations chose to collectively work on the implementation of the GDPR in their specific sector – in this case, the cloud market – by concretizing the high-level goals of the regulation.