Skip to the content


How cloud the computing industry will be affected by GDPR


The end of 2015 saw Europe finally agree draft legislation known as the General Data Protection Regulation (GDPR); a set of measures aimed at replacing the aging Data Protection Directive.

It is the first rewrite of privacy laws in Europe for 20 years and is set to be a substantial extension of current liability and compliance obligations.

Current legislation currently covers the obligations of those in control of data, but not processors, who are often only subjected to the terms outlined in their contract to their controller.

It means that in the case of a cloud hosting service, the customer would be a controller while the service provider would take the role of the processor.

The limited reach of the Directive has lead to criticism that processors are relatively insulated, with the controllers acting on their behalf otherwise imposing specific contractual obligations.

The GDPR aims to change the situation, expanding the scope of current laws to cover controllers, while also introducing statutory obligations for processors for the very first time.

The rules will primarily offer greater guidance on accountability, engaging with engaging sub-processors, as well as data security and data breach notification.

How does it apply to cloud providers?

Cloud providers will already have to assess the terms of GDPR and what it means for them as users of such services are likely to demand adapted terms of service in order to protect a customer's own data in accordance with the new rules.

Another consideration is likely to be the legal compliance in relation to cloud processing activities.

Nevertheless the new law has been largely welcomed by a number of cloud providers, albeit with a level of caution.

Many providers based in Europe and the US see the legislation as a step in the right direction for facilitating the process of winning new business across Europe while also encouraged by the prospect of being on an equal footing with data controllers when it comes to liability for breaches and other violations.

However, there are still challenges that will need to be overcome, particularly for companies based in the US, who are likely to come under increased pressure to build datacentres in Europe amid the European Court of Justice's decision to render the validity of the US Safe Harbour Agreement as "invalid".

David Barker, technical director of Surrey-based colocation provider 4D, adds that  the joint liability requirements are likely to also prove to be a source of concern for many cloud firms.

He told Computer Weekly: “Traditionally, cloud providers – mainly those in the infrastructure-as-a-service (IaaS) category – haven’t really wanted or needed to know what data is actually being held on their servers, and have simply provisioned a one-size-fits-all solution that you can subscribe to.

“If we’re becoming liable for the data customers put on to those servers, there needs to be some clear delineation on where the responsibility for that data lies; how the underlying cloud infrastructure is being protected; and how the customer protects any data they put on those virtual servers.”


Mr Barker also insists that many cloud firms will have to take an increased interest in what exactly users are planning to store on the their infrastructure, causing a rise in overheads and, eventually, an increased cost for the customer.

Those challenges will be further compounded by joint liability requirements stating that cloud providers will be obliged to alert the authorities to data breaches within 72 hours.

Having a solid incident-response management programme in place will therefore be crucial.

Given that one of the main advantages of cloud computing is the lower cost to the end user when compared to on-site solutions, any rise in price is understandably likely to cause unease among many providers.

“The costs are going to start to creep up to take into account the additional administration of dealing with these regulations for each customer deployment, and we might even see more bespoke requirements for production systems for larger businesses,” Mr Barker says.

However, when considering the alternative of either a fine of up to €100 million or five per cent of the company’s annual global turnover, some corporate customers may well be happy to pay the slightly increased price as an insurance.