Part 2: Cloud Processor Responsibilities Under GDPR [Article]

By: Paul L. Kendall, Accudata Systems

As discussed previously, in Part 1 of our GDPR series, GDPR is a major game-changer for any US corporation that stores, processes, or transmits data about EU citizens, regardless of where the activities take place. Although this is an EU regulation, its impact is global, and the regulatory requirements are considerably more stringent than previous EU privacy initiatives. There are 10 major components of the Regulation that should be carefully noted[1]:

  1. Increased fine structure: 4% of global gross revenue, or 20MM euros, whichever is GREATER
  2. Opt-in/Opt-Out: must be easy for users; explicit opt-in/opt-out, companies may use data only as agreed
  3. Breach Notification: must occur within 72 hours of breach discovery; reporting is to the EU regulators (via Supervisory roles – more on this later)
  4. Territorial Scope: global for any organization with data on EU individuals
  5. Joint Liability: both data processors and data controllers (more later)
  6. Data Rights: user-centric (the users control the rights to the data)
  7. Legal Simplification: 28 different EU laws are being replaced by the GDPR
  8. Data Transfer and Privacy: privacy rights must move with the data
  9. Enforcement: authorities have established much stricter enforcement approaches
  10. Collective Redress: class action lawsuits from individuals permitted/encouraged

Three new terms are introduced here:

  1. Supervisory role: this is the Information Commissioner’s Office (ICO) of the European Data Protection Board. All breaches must be reported through this office. Each country is likely to have its own independent commission for this purpose, so a list is very useful and should be kept up to date.
  2. Data Controller: the organization that determines the purpose and method for processing data. In most cases, this is the organization that uses the data for its own purposes.
  3. Data Processor: any organization that processes the data on behalf of the Controller (e.g., cloud services).

It should be noted:

Any processor or controller that does not have a physical business presence in the EU must designate (in writing) a representative that resides in the EU. That representative must be legally mandated to interact with both Supervisory Authorities AND Data Subjects with regard to GDPR. Finally, designation of a representative does not in any way reduce or limit the liability of either the controller or processor.

Cloud Services will, in most cases, fall under the definition of a processor. Migration of data to a cloud service does not absolve the controller of security and privacy obligations, however. The controller must ensure, through a legally binding contract, that the processor:

  1. performs its roles only as specifically authorized by the controller,
  2. ensures its employees observe all requisite security and privacy rules,
  3. takes appropriate security actions and measures,
  4. assists the controller in ensuring appropriate technical, organizational, and compliance obligations are met,
  5. deletes or returns all data at the termination of services, and
  6. provides the controller with all information necessary to demonstrate compliance under the GDPR.

To determine their level of compliance requirements, cloud providers must determine if any of their customers are managing EU personal data. Those cloud services that operate in a global network also need to ensure that they are diligent in how they transfer data around the cloud; everywhere EU data goes, the security and privacy constraints must follow and be in place. This may require that changes to the data transfer models be put in place to avoid data migration outside of environments that are GDPR compliant.

What about the US-EU Privacy Shield Agreement?

“I will just self-certify under the US-EU Privacy Shield, so I don’t have to worry.” Perhaps, but there have been a number of concerns expressed by the EU commission on the adequacy of the Privacy Shield regulations, mostly around the perceived inability to limit US collection of EU citizens’ data. The Privacy Shield is renewed on a biannual basis; it is due for renewal in July 2018. While the agreement remains in effect for now, it is anticipated that unless the concerns of the EU commission are adequately addressed, the Privacy Shield will go the route of the Data Protection Act, and GDPR will become the de facto standard. Recent legislation that eases restrictions on US ISPs has done nothing to resolve these concerns. As a result, many organizations are looking at the GDPR to ensure compliance in an uncertain environment.


According to PwC[2], any American global corporation that has not yet begun to prepare for GDPR is already well behind the curve in terms of compliance by the deadline date. Currently, many large US companies are involved in significant data-discovery and assessment engagements designed to define a multi-million-dollar remediation plan to address GDPR requirements. Such plans include strategic initiatives, such as improving standard data-privacy and security capabilities in their onshore operations. The scarcity of current thinking on the part of EU regulators is creating a widening gap in efforts as companies stall to try and determine how the regulators will seek to interpret GDPR requirements. During the rest of 2017 and into 2018, as that interpretation begins to emerge, expect more US corporations to re-evaluate their position with regard to EU data and their overall European data management programs.


Additional Resources:

Part 1: EU General Data Protection Regulation (GDPR): What It Means for US Companies

Part 3: GDPR and the Future of the EU-US Privacy Shield 


[1] IT Governance Privacy Team. EU General Data Protection Standard: An Implementation and Compliance Guide. © 2016, ITGP. pp 15-28.

[2] PriceWaterhouseCooper. GDPR Series: Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets. 2017.