GDPR Compliance in the Cloud

Last updated on

By Moazzam Adnan Raja, Atlantic.Net

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect. This new set of standards and guidelines deserves special consideration related to cloud computing. This article reviews what the GDPR is, tactics you can use to best protect information within cloud environments, and how you can identify a cloud service provider (CSP) that takes GDPR compliance and data protection seriously.

What is the General Data Protection Regulation?

This information privacy law, passed by the European Parliament in April 2016, took the place of a data law that was passed by the same body in 1995. The regulation mandates that organizations set up safeguards for the privacy and personal data of those who live in the European Union related to any digital activity within those countries. Additionally, when data of EU citizens is migrated beyond the boundaries of EU nations, the GDPR states that protections must still be in force. These stipulations apply not just to companies located in Europe but to any businesses interacting with this consumer information (i.e., any organization with a website that processes, stores, or transfers the sensitive personally identifiable information (PII) of EU citizens).

The GDPR was enacted because public concern related to privacy and security is high. Statistics cited by CSO senior editor Michael Nadeau reveal just how important this topic is to consumers both within the EU and outside it: from a poll of 7500 consumers in the United States, United Kingdom, Germany, Italy, and France, 80 percent said that losing financial data was a major concern. Furthermore (and of great importance to business), nearly two-thirds of respondents (62%) said that they would consider the applicable company rather than cybercriminals at fault if their information was stolen.

Strategies to maintain cloud GDPR compliance

Keeping your organization’s cloud ecosystem compliant with the GDPR requires a thorough and multi-faceted approach. Here are five core tactics you can use to keep your company protecting data as it must in order to meet these critical guidelines:

1. Know your cloud systems and where data is located.

It is first necessary to identify all of the cloud systems that you are using. Consolidate apps so that you do not have multiple ones performing the same function. Sign an updated data processing agreement with all these vendors that adhere to the rules of the GDPR. Also, find out where the data resides for each of your cloud partners. Be certain that you know if data is just being processed and stored in one data center, or if it is reliant on servers within several facilities.

2. Ensure that you are only collecting data you need.

One key way to protect yourself is to avoid gathering unnecessary data. You should also carefully restrict any “special” information (that referring to parameters such as race, ethnic background, religious identification, or political affiliation) that you handle. It should be clear within any data processing contracts with CSPs that the system will only gather information from your users and company that the app must have in order to work correctly. These agreements should also state the limitations that will be placed on any special data collection. Furthermore, they should indicate that you are the owner of the data and that it cannot be shared with any outside parties.

3. Report any breaches within 72 hours.

You, of course, must protect your systems, but it is also necessary to let the regulators know whenever your setup fails and a breach occurs. This process relies heavily on your relationships with CSPs since you will need their assistance to get the necessary information to the authorities quickly and accurately. Since that is the case, you must be certain that the vendors you entrust have a knowledgeable staff that is able to identify breaches and respond to them immediately (see the below section on finding a provider). Keep in mind that you do not just have to worry about fines but consumer trust since the details of these breaches will be published. Plus, joint and several liability is assigned to the cloud provider per the GDPR, so both the data controller and data processor can be held accountable in court by any parties whose information is exposed.

4. Safeguard personal data from unauthorized access, tampering, or loss through robust security mechanisms.

Assess all the cloud apps and other elements within your ecosystem to ensure they meet your security policies. Either stop using or create additional controls for ones that are not fully compliant with your standards. Writing in the Cloud Industry Forum, Andy Aplin highlighted his organization’s software that checks cloud applications using nearly 50 guidelines, automating discovery and streamlining the process so that you can locate gaps and compare different services efficiently.

5. Eliminate data once you terminate use of the service.

Your agreement with the cloud provider should include language on how data removal would occur after you stop using the service. You want to know how long it will take them to delete your information once you cancel so that your exposure is as limited as possible.

Finding a strong, GDPR-compliant cloud provider

When you choose cloud vendors, you want them to care about securing critical data and maintaining compliance with the GDPR as much as you do. Your best bet is to choose a partner that has demonstrated a commitment to security and compliance. For instance, at Atlantic.Net (a cloud service provider), we are audited and certified to meet the security and privacy specifications set forth in the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA Healthcare Hosting), and the Statement on Standards for Attestation Engagements 18 (SSAE 18, formerly SSAE 16) SOC 1 and SOC 2 (from the American Institute of Certified Public Accountants). The terms of our privacy policy have also been updated to reflect GDPR requirements.

Of course, you can ask questions, but you should also clearly see that the CSP is focused on security and compliance – so that any modifications to policies and procedures in response to the GDPR are tweaks rather than overhauls. Partnering with cloud vendors who are deeply concerned with privacy and security will not just ensure that you can maintain GDPR compliance but that you don’t have to do all the heavy lifting along the way.

Author Bio: Moazzam Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.

VPS Screener

VPS Screener

Find the VPS that fits your requirements in seconds with the Screener


Best VPS 2020

Share this page

Latest Tweets by @vpsbenchmarks


First EC2 C5a EPYC 2nd Gen benchmarks On June 5th 2020, Amazon EC2 made their new C5a instances generally available. Those instances are ...
New VDS line of servers at Contabo This week, Contabo is releasing a new line of VPS servers called VDS "Virtual ...
New Grades and Best VPS 2020 rankings Changes are coming to VPSBenchmarks in the next few weeks that will make it easier to find the VPS ...


Be featured on VPSBenchmarks

Cloud Server Providers, would you like your products to be tested at

Check out our pricing page and sign up


We are proud to provide objective and impartial benchmark data on this website. VPSBenchmarks receives support from some of the providers featured here but all tests are conducted the same way regardless of our relationships with them.

If you find our benchmarks valuable, you can help by making your cloud purchases using the Provider Affiliate Buttons displayed throughout the site.

Latest trials

All tests that were recently conducted at VpsBenchmarks:

Start Provider
Jul 09 2020 OVHcloud
Jul 07 2020 Contabo
Jul 05 2020 IONOS by 1&1
Jul 02 2020
Jun 30 2020 Alibaba Cloud
Jun 28 2020 VPS2DAY
Jun 26 2020 Hostinger
Jun 24 2020 Genesis Public Cloud
Jun 22 2020 Kamatera
Jun 20 2020 Vultr
Jun 17 2020 Aruba Cloud
Jun 15 2020 UpCloud