Cloud Services And The GDPR: A Guide For Business Responsibilities

Dakota Murphey

The General Data Protection Regulation (GDPR) was introduced in May 2018, making huge changes to the rules and regulations surrounding the processing of data. This has had ramifications across businesses in all industries, but perhaps one of the most important is for cloud service providers.

“Cloud document storage and management services are growing enormously in popularity,” says Ed Entecott, director at Document Options, “but a number of issues surrounding the GDPR and the responsibilities of businesses are still misunderstood in many companies.”

Using the cloud has an obvious range of benefits, but the GDPR can complicate matters. What does this mean in relation to key issues such as Amazon Web Services’ Shared Responsibility Model? And how will the GDPR affect the economics of the web-hosting industry? In this article, we take a closer look at how cloud service providers and the businesses that use them are affected by the GPDR.

Changes made by the GDPR

The GDPR represents the most significant change to the rules and regulations surrounding data protection in many years. The regulation replaced the Data Protection Directive (DPD) set out in 1995. Clearly, a lot of things have changed since then. (In fact, cloud computing didn’t even exist in the form we know it today.)

The regulation is designed to prevent companies from processing, using, storing, or sharing the personal data of European citizens without getting their proper consent to do so. There are also various other rules, including a “right to be forgotten” in which someone can choose to have their personal details removed from your database at any time.

This clearly has huge implications for both cloud services providers and businesses that utilize cloud hosting and storage. Failing to comply with the rules can see your business facing fines of up to €20 million or four percent of global turnover (whichever is greater).

What’s required from cloud service providers

Effectively, the GDPR is an enhanced version of previous regulations. Make sure that the cloud service provider you work with has made significant changes to its operations accordingly – or can explain to you how they are complying with the rules.

For example, it is necessary for cloud service providers to take a proactive approach to cybersecurity to ensure that data is safe. They also need to follow best practices on encryption, provide remote server hosting, and store decryption keys away from the database.

It shouldn’t matter where your service provider is based. Whether the provider handles the data of a European citizen, or if your organization does, then the provider is required to follow the rules of the GDPR. Any breaches of data that are the fault of the cloud service provider will mean punishment for your provider, rather than for you – although this issue is fraught with complications.

Who is responsible for GDPR compliance – user or provider?

Well-known services providers such as Amazon Web Services and Microsoft Azure work with a shared-responsibility model. Essentially, this means that the provider will take responsibility for securing data on its servers. However, the business using the services is responsible for the cybersecurity of its own infrastructure, website, and computer system.

Additionally, it is not yet clear whether the GDPR will have an impact on the economics of using cloud services. There currently has been no noticeable hike in prices related to GDPR compliance. However, as it is still relatively early in the process, it remains to be seen what sort of impact the GDPR could have on pricing.

How cloud-services customers can ensure compliance

If you are working with a cloud services provider, you clearly need to ensure that both you and the provider are in full compliance with the GDPR. Here are the steps to take.

  • Understand where your responsibilities lie. Different cloud services providers will have their own rules surrounding data responsibilities. Read through the terms and conditions to understand what they are doing for you, and what they expect you to do.
  • Change providers if necessary. It is possible that your current provider can’t offer you the kind of security you need to remain compliant, in which case, you may need to work with another.
  • Work with GDPR specialists. Even if you have had assurances from your cloud service providers that you are GDPR compliant, it is important to make your own preparations to be confident. Ultimately, you are responsible for your GDPR compliance, so work with specialists in the industry to ensure that you are doing what’s necessary.

For more insight, read “Who Owns What? Your Data Protection Responsibility In The Multi-Cloud World.”


About Dakota Murphey

Dakota Murphey is a tech writer specialising in cybersecurity, working with Redscan on this and a number of other GDPR, MDR, and ethical hacking projects.