News top

The Impact of GDPR on the Cloud Service Providers

The EU’s General Data Protection Regulation (GDPR) grants new rights to individuals and imposes new requirements for organisations. This will have a considerable impact upon cloud service providers that process personal data (CSP processors).


According to the current EU Data Protection Directive (95/46/EC), the data controllers – not the data processors - are responsible for legal compliance. Processors carrying out processing on behalf of the controller — as is the case in the majority of cloud service arrangements — are not directly subject to the Directive’s rules. With GDPR some changes regarding the role of processors for protecting personal data is introduced. Cloud service providers are affected by GDPR since they are processors. They are processors if they process data of any citizen of the EU, thus USA, Russian, Chinese sites are also affected.

With cloud computing the relation of data to a geographical location can be blurred and it is not always clear where data is stored. Therefore, it can be difficult for an enterprise to determine applicable law. The physical location is a decisive factor to determine which privacy rules apply. Another challenge lies in the externalization of privacy. Enterprises that make uses of cloud service providers expect that the privacy commitments they have made to their own customers and employees will continue to apply by the cloud service provider.

There might also be a difficulty with effectively implementing data retention policies when utilising cloud services. Under the GDPR personal data may not be stored longer than needed for the predefined purpose. Therefore, retention periods must be implemented, and you must be able to delete data effectively when retention periods have expired: both for data locally stored and in the cloud. The deletion of data will also impose a challenge. To delete data completely, backups must be taken into consideration as well. Therefore, it is important to have a clear overview of how backups are secured, and retention is managed by your cloud service providers.

In order to comply with GDPR, if you are a cloud consuming organisation that serves European customers, you should do the following:

  1. Know the location where the cloud apps are storing or processing data
  2. Ensure adequate security measures in order to prevent personal data loss or unauthorized processing
  3. Sign a data processing agreement with the cloud apps you are using
  4. Collect only “necessary” data and limit the processing of “special” data
  5. Make sure that cloud apps are not using personal data for other purposes
  6. Ensure that you can erase the data when you stop using the app

It’s essential that everyone understands the importance of GDPR and takes responsibility for the data they come in contact with - whether they are controllers or processors. Organisations must take the time to assess that their CSPs are compliant with GDPR before the deadline. You can use now our comprehensive online tool to simply the path to GDPR implementation – start now with GDPRQ.


A honlap utolsó módosításának időpontja: 2019.03.08