GDPR Requirements for Cloud Providers

The General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, is a lot more wide reaching than many people are aware of. This wide reach can be especially important to recognise for third party providers, such as Cloud services providers. These providers could be affected by the GDPR even if they do not directly have any Europe based clients.


The Reach of GDPR


GDPR is intended to help bring some uniformity to the way in which data protection is dealt with across the EU. But, it does not just apply to EU based businesses and organisations. Any business which processes the personal data of EU based individuals has to comply with the stipulations of GDPR. So, what does this have to do with Cloud services providers, including those that do not have any Europe based clients?


The Responsibility of a Processor


As detailed in Article 82 of GDPR, data controllers and data processors now have joint responsibility for the security of personal data. They are also jointly responsible for ensuring that GDPR is complied with. This is different to what happened previously, when data controllers had overall responsibility.

Looking at this in relation to a Cloud services provider. If they provide services for a client which involves processing the personal data of EU citizens they have to comply with the stipulations of GDPR. This applies whether the client is based in the EU or not.

If the Cloud services provider takes any action that is not compliant, they can be held directly accountable. Given the fact that data controllers and processors can be held equally accountable, under GDPR, all contracts between the data controller and the Cloud services provider should include provisions regarding this matter.

This is a significant change for Cloud services providers, and one which they cannot afford to take likely. Non-compliance with GDPR can result in the imposition of costly fines.