GDPR Compliance in the Cloud

Last updated on

By Moazzam Adnan Raja, Atlantic.Net


On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect. This new set of standards and guidelines deserves special consideration related to cloud computing. This article reviews what the GDPR is, tactics you can use to best protect information within cloud environments, and how you can identify a cloud service provider (CSP) that takes GDPR compliance and data protection seriously.

What is the General Data Protection Regulation?

This information privacy law, passed by the European Parliament in April 2016, took the place of a data law that was passed by the same body in 1995. The regulation mandates that organizations set up safeguards for the privacy and personal data of those who live in the European Union related to any digital activity within those countries. Additionally, when data of EU citizens is migrated beyond the boundaries of EU nations, the GDPR states that protections must still be in force. These stipulations apply not just to companies located in Europe but to any businesses interacting with this consumer information (i.e., any organization with a website that processes, stores, or transfers the sensitive personally identifiable information (PII) of EU citizens).

The GDPR was enacted because public concern related to privacy and security is high. Statistics cited by CSO senior editor Michael Nadeau reveal just how important this topic is to consumers both within the EU and outside it: from a poll of 7500 consumers in the United States, United Kingdom, Germany, Italy, and France, 80 percent said that losing financial data was a major concern. Furthermore (and of great importance to business), nearly two-thirds of respondents (62%) said that they would consider the applicable company rather than cybercriminals at fault if their information was stolen.

Strategies to maintain cloud GDPR compliance

Keeping your organization’s cloud ecosystem compliant with the GDPR requires a thorough and multi-faceted approach. Here are five core tactics you can use to keep your company protecting data as it must in order to meet these critical guidelines:

1. Know your cloud systems and where data is located.

It is first necessary to identify all of the cloud systems that you are using. Consolidate apps so that you do not have multiple ones performing the same function. Sign an updated data processing agreement with all these vendors that adhere to the rules of the GDPR. Also, find out where the data resides for each of your cloud partners. Be certain that you know if data is just being processed and stored in one data center, or if it is reliant on servers within several facilities.

2. Ensure that you are only collecting data you need.

One key way to protect yourself is to avoid gathering unnecessary data. You should also carefully restrict any “special” information (that referring to parameters such as race, ethnic background, religious identification, or political affiliation) that you handle. It should be clear within any data processing contracts with CSPs that the system will only gather information from your users and company that the app must have in order to work correctly. These agreements should also state the limitations that will be placed on any special data collection. Furthermore, they should indicate that you are the owner of the data and that it cannot be shared with any outside parties.

3. Report any breaches within 72 hours.

You, of course, must protect your systems, but it is also necessary to let the regulators know whenever your setup fails and a breach occurs. This process relies heavily on your relationships with CSPs since you will need their assistance to get the necessary information to the authorities quickly and accurately. Since that is the case, you must be certain that the vendors you entrust have a knowledgeable staff that is able to identify breaches and respond to them immediately (see the below section on finding a provider). Keep in mind that you do not just have to worry about fines but consumer trust since the details of these breaches will be published. Plus, joint and several liability is assigned to the cloud provider per the GDPR, so both the data controller and data processor can be held accountable in court by any parties whose information is exposed.

4. Safeguard personal data from unauthorized access, tampering, or loss through robust security mechanisms.

Assess all the cloud apps and other elements within your ecosystem to ensure they meet your security policies. Either stop using or create additional controls for ones that are not fully compliant with your standards. Writing in the Cloud Industry Forum, Andy Aplin highlighted his organization’s software that checks cloud applications using nearly 50 guidelines, automating discovery and streamlining the process so that you can locate gaps and compare different services efficiently.

5. Eliminate data once you terminate use of the service.

Your agreement with the cloud provider should include language on how data removal would occur after you stop using the service. You want to know how long it will take them to delete your information once you cancel so that your exposure is as limited as possible.

Finding a strong, GDPR-compliant cloud provider

When you choose cloud vendors, you want them to care about securing critical data and maintaining compliance with the GDPR as much as you do. Your best bet is to choose a partner that has demonstrated a commitment to security and compliance. For instance, at Atlantic.Net (a cloud service provider), we are audited and certified to meet the security and privacy specifications set forth in the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA Healthcare Hosting), and the Statement on Standards for Attestation Engagements 18 (SSAE 18, formerly SSAE 16) SOC 1 and SOC 2 (from the American Institute of Certified Public Accountants). The terms of our privacy policy have also been updated to reflect GDPR requirements.

Of course, you can ask questions, but you should also clearly see that the CSP is focused on security and compliance – so that any modifications to policies and procedures in response to the GDPR are tweaks rather than overhauls. Partnering with cloud vendors who are deeply concerned with privacy and security will not just ensure that you can maintain GDPR compliance but that you don’t have to do all the heavy lifting along the way.


Author Bio: Moazzam Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.




Be the first to learn about new Best VPS rankings. Subscribe to our newsletter.