The cloud vs GDPR: a compliance nightmare?

09. January 2018 | Drooms Global

This month we were featured in Finance Monthly and shared our expertise in the field of data privacy and protection. Drooms cofounder and chairman Jan Hoffmeister points out the challenges facing businesses that rely on cloud services – basically everyone. We share some excerpts on what the new regulation means for cloud service providers as data processes and some basic steps to compliance below! Just follow these recommendations to ensure a smooth transition as of May 2018.


As of May 2018, the General Data Protection Regulation (GDPR) will come into force causing businesses far and wide to reshape their data privacy practices.  

The rules of the GDPR apply irrespective of whether data is stored in the cloud or on paper. The former in particular presents several challenges with regards to compliance.

On the one hand, according to Elastica’s Shadow Data Threat Report, as little as one percent of cloud providers’ internal processes are compliant with the new legislation. Less than three percent enforce secure password policies to meet the requirements of the GDPR. This has in part got to do with the Directive’s emphasis on the controller rather than the processor, leaving many a provider unaccountable for the role they play in data privacy and security. Aside from the scenario where direct contractual obligations are enforced on behalf of the controller, processors are not held liable for loss or exposure of information. Where regulation isn’t an issue cloud service providers can limit their focus to ease of use and navigation of their platforms and services.

On the other hand and according to the most recent Netskope Cloud Report, EU firms are unaware of how many cloud applications their organisations are actually using, which on average is believed to be over 600 software programs.

The new rules will be far more stringent than ever before, the threat of fines as high as 20 million EUR or four percent of a companies’ annual revenue (whichever is highest) real, and the sharing of liability binding between both processor and controller. Cloud providers as well as users must enforce a series of technical and organisational procedures to guarantee the level of security required. According to Dr. Rois Ni Thuama, Head of Cyber Governance at OnDMARC the fines are not necessarily the biggest threat to a business’s bank account. The data subject’s right to sue following a breach, whatever the implications, is far more concerning.

“What we are seeing now is a clear division between a growing number of companies that say ‘wait, this GDPR thing is real’, and those who still don’t understand you cannot simply move data around the cloud without addressing data privacy. Privacy regulation is becoming mainstream in IT, in the same way that drug licensing became so for the pharmaceutical industry. It’s either make it clear that you comply, or forget about selling to serious customers,” says Bostjan Makarovic Founder of Aphaia, a GDPR-focused consultancy.

The attitudes of controllers and processors will need to change drastically especially when it comes to negotiating agreements. Strict provisions on the scope of duties of the controller and processor will need to be defined and implemented. Annabel Jones, UK Director at ADP commented: “contractual due diligence will be even more important as businesses seek to partner up with companies that can show data is processed lawfully”. An increase in third party due diligence and a greater focus on insurance policies will most likely also be discernable.

Four steps to compliance

  1. Select a provider able to tell their clients where the data they process and store is located. According to the GDRP data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under certain circumstances. Currently only 11 countries meet such standards. 
  2. Ask yourself, are there any third parties involved in the processing of the data? According to Trustwave’s Global Security Report, approximately 63% of data breaches involve third parties who are often considered a company’s biggest area of risk exposure. As a result they will be the first to be investigated by regulators. If the latter are involved at some stage of the process, measures need to be taken to ensure that they too are compliant.
  3. Security should be a top priority for providers who ought to be able to explain the various measures adopted to protect data from modification, unsanctioned processing or loss. All data centers must be compliant with the latest ISO certifications, the storage and transmission of documents should be carried out exclusively via SSL connection with AES 256-bit encryption. At Drooms, we take security extremely seriously and make a conscious effort to continuously comply with the highest standards out there.
  4. Regular penetration tests should be carried out to assess data security. Two-factor authentication, data deletion, trash retrieval and access controls are some of the best ways data owners can have autonomy on how and whether their data is kept.  

For the full article on Finance Monthly click here.