Discover your certification today Browse
Open page navigation

CIF provides the sole certification for Cloud Service Providers who need to better position themselves as GDPR prepared

Since 2009, the Cloud Industry Forum (CIF), has endeavoured to raise standards and improve transparency within the cloud sector.

CIF has now incorporated enhancements to its Code of Practice (Code) to deal with the General Data Protection Regulation’s (GDPR) requirements, ultimately bringing clarity to the market and enabling Cloud Service Providers (CSPs) to establish themselves as GDPR prepared. CIF provides a clear pathway for customers to choose trusted, certified cloud suppliers.

The General Data Protection Regulation comes into force in May 2018, bringing new roles and responsibilities for Data Controllers and Processors. The law aims to harmonise legislation across the EU and increase protection of citizens’ information. However, there's currently uncertainty concerning the new laws as there aren’t any clear, accredited standards in situ that specify what measures CSPs should implement to confirm compliance. CIF has incorporated key elements of the GDPR into its existing Code framework to assist organisation’s navigation and compliance of the terms of the regulation.

The CIF Code provides a comprehensive framework that allows CSPs to benchmark their operations against industry standards, providing a pathway for best practice within the provision of cloud services. Designed around the 3 pillars of ‘Transparency, Capability and Accountability’ the framework is rigorously reviewed by the Cloud Industry Legal Forum, to comply with guidance from the European Commission. The Code is recognised by EU Agency for Network & Information Security (ENISA). 

Cloud Service Providers who certify to the Code have the knowledge and ability to confirm their organisation is on track for GDPR compliance. In addition, existing certified Code resellers are encouraged to update their position to incorporate GDPR additions.

Alex Hilton, CEO of CIF, says: “The GDPR is a considerable piece of legislation that will leave no space for companies to hide, especially if they don’t take data security seriously. A failure to demonstrate compliance with the GDPR can result in organisations receiving massive punitive fines which, aside from damaging their reputation, could potentially put them out of business. It is therefore vital that these organisations have the appropriate skills and knowledge in place.

“It’s incumbent on CSPs to be able to demonstrate they have the required capabilities. However, in many ways the GDPR is an abstract and non-prescriptive piece of legislation and the absence of a concrete standard makes it difficult for certain companies to be sure that what they have put in place is compliant.”

Frank Jennings, lawyer and chair of the Code of Practice governance board explains: “Cloud providers (and their customers) could face fines of up to €20m for data breaches under GDPR and Brexit won’t change that. Compliance with the updated Code should help compliance with GDPR and will reduce the likelihood of a receiving such a fine.

"The GDPR will force customers to go back to their service providers to verify they are ready to deliver on their commitments under the new regulation. Similarly, customers selecting a new provider will include GDPR in their due diligence. For service providers GDPR is a mission critical event for the retention of existing customers and winning new customers and the CIF Code is there to provide assurance to customers," added Frank Bennett, Deputy Chair of CIF. 

“This is exactly why we have enhanced our Code of Practice. The updated certification will help guide companies on their path to compliance with the GDPR. CIF’s Code aims to bring greater transparency and trust when doing business in the cloud, and these attributes are key determining factors for the success of any CSP who wants to prosper now and once the GDPR comes into full effect. Due to the updates that have been implemented, we believe that everyone will be able to gain the support they need and that confidence will be instilled in clients and customers. But ultimately, this will help create a better and safer cloud for all,” added Alex.

Richard Pharro, CEO of APM Group, concluded: “Nearly 90% of UK companies are now using at least one cloud based service to run their business. These businesses are reliant on their provider to protect their assets. Having confidence that their supplier has the necessary controls in place to comply with GDPR regulations will be a key selection criterion for many businesses. The enhanced Code provides a simple and transparent verification of your supplier’s capability.”

For more information on CIF’s Code of Practice visit:



About the Cloud Industry Forum (CIF)

The Cloud Industry Forum (CIF) was established in direct response to the evolving supply models for the delivery of software and IT services that has expanded well beyond the traditional on-premise method to one that now embraces hosted and/or, pay-as-you-use Cloud solutions.

CIF’s purpose is twofold: To drive a common and public level of transparency about the capability, substance and best practices of online Service Providers (SaaS, PaaS, IaaS, Web hosting providers etc.) through a process of self-certification to a Code of Practice.  Second, this Code of Practice, and the use of the related Certification Mark on participant’s web sites, provides comfort and promotes trust to businesses and individuals wishing to leverage the commercial, financial and agile operations capabilities that the Cloud based and hosted solutions can offer. CIF is ensuring the integrity and governance of the self-certification process through regular random audits as well as investigating complaints from parties that challenge any specific participants’ self-certification status.

Visit the website at:

Press contacts:

Edward Dodge / Beau Bass


T: +44 (0)20 7388 9988