How to choose a GDPR compliant cloud service provider

The General Data Protection Regulation (GDPR) go-live date is rapidly approaching.

GDPR compliant cloud providerBy May 2018, organisations across Europe and beyond will need to be fully compliant with the new GDPR regulation to avoid the risk of fines or, in extreme cases, even trading bans.

It will likely be a huge task for businesses across the UK to achieve full compliance by May 18 – especially as the new GDPR is more stringent than the current Data Protection Act 1998.  The introduction of more stringent data protection guidelines

The introduction of more stringent data protection guidelines were inevitable in light of us now operating in a new technology landscape where many of our interactions are online, with masses of data stored across cloud services, apps, phones and laptops, to mention just a few.

Supporters of the GDPR see it is a small step in terms of an increased regulatory burden; as in many respects, codes of practice which should already be in place within businesses today are being turned into more formal legal obligations.  Many businesses, on the other hand, are struggling to figure out what they need to do to become compliant in time for May 2018 when the GDPR comes into effect. A good number of these businesses have actually struggled to understand what they should be doing to meet existing data protection requirements, and for them, compliance with the GDPR will be an even greater challenge.

The challenge for businesses of all sizes

GDPR is not just a concern for large corporates – it will affect businesses of all sizes.  The GDPR’s primary aim is to better protect the data of EU citizens, so a business of any size that is handling EU citizens’ personal data will need to adhere to the new regulations.  If not, they risk fines of up to 4% of annual turnover and the possibility of bans on trading in EU locations if providers do not comply with the GDPR.

Some organisations are further away from achieving compliance than others.  The list of organisations which the Information Commissioner’s Office has taken enforcement action against to date is available on its website(1), and it’s likely that many of these institutions will struggle to meet the new regulations in time, if today’s standards are already proving a struggle.

Martin Hoskins, Associate Director at Grant Thornton and a specialist in data protection policy, believes that many businesses are only now waking up to how much there is to do in order to achieve GDPR compliance in time.

“Businesses will need to have comprehensive Information Asset Registers in place when GDPR comes into force,” commented Hoskins. “They will be expected to understand  – and the larger businesses will be expected to formally document – what data they have, how long it is retained for, who it is shared with, what security controls protect the data and where it is stored.”

Businesses also need to think about the IT systems they are storing their data on, I believe. Countless data volumes are residing on non-compliant legacy IT systems, and being handled by legacy applications that no longer align to the obligations set out in the GDPR. This is one of the reasons that moving services to a cloud infrastructure delivered by a provider with in-house expertise about GDPR compliance can be safer than leaving legacy systems running in-house.

The Brexit impact

Brexit has raised many questions for customers choosing a new cloud service provider, with concerns emerging over data residency and the locations of server farms.

“Many UK customers are asking whether Brexit will affect whether they have to be GDPR compliant,” says Hoskins. “However, GDPR policies have been put in place to protect how EU citizen data is being handled.  So, if you are a UK business with customers in the EU, or you have operations based in the EU, then you will still need to be GDPR compliant – regardless of Brexit.  And, following Brexit, it is highly likely that the UK will continue to enact data protection laws that are remarkably similar to the standards required by the GDPR to protect the personal data of UK data citizens. This will also help assure European companies that their data is safe in British hands.”

The message seems to be that, in an increasingly global world with customers located across the globe and data stored in multiple locations, it’s unlikely that Brexit will have a bearing on whether you need to be GDPR compliant.

Choosing a hosting provider

GDPR marks a change in the balance of responsibility between data controller and data processor.  Under the new regulations, data processors (such as IT hosting providers and cloud hosters) will have more responsibility to better protect data.  Customers will need to start questioning their cloud providers or potential new suppliers more thoroughly about whether they are GDPR compliant and how they can demonstrate that they are GDPR compliant.

It’s also critical to understand where cloud providers are storing your data – they might have UK or EU datacentres but does your contract prevent data being transferred between their datacentres outside of the EU? And are you aware when it is being transferred? You can still host your IT with providers outside of the EU, but you will need to ensure that these providers have safeguards and security measures in place that meet the GDPR standards in order to remain compliant if you are handling EU citizen data.

There are also questions over whether customers should host with non-UK cloud providers, but the crucial point is more about whether your provider is adhering to GDPR standards; wherever your systems are being hosted.  Many providers offer localisation guarantees, such as Amazon Web Services which allows customers to choose whether data is located in the EU, or specifically in the UK (2).  Despite this, customers often need more control over their data and have specific contract requirements that many of the hyper-scale cloud providers such as AWS or Google can’t bend their contracts to meet.

For example, we recently delivered a cloud service to a Netherlands based customer who had originally tried to source their cloud solution from Amazon Web Services. However, AWS weren’t able to personalise their contract to meet specific data protection requirements already in force in Holland.  Carrenza wasm able to step in and tailor the contract to meet the customer’s GDPR requirements and offer a cloud service that could better align to their needs.

Carrenza works with customers who have a wide range of requirements when it comes to where their data resides, balanced with service cost and scalability.  From UK-based data centres powered by HPE enterprise infrastructure for maximum performance and availability locally, through to public cloud solutions from providers such as AWS wrapped into a Carrenza management service.

What do businesses need to do?

So, what do you do to ensure you’re making the right choice about your cloud provider, in light of the GDPR and current data protection policies?

  • Ask your provider whether they are GDPR compliant or have measures in place to become compliant in time for May 2018 when the GDPR comes into effect.
  • Some cloud providers are signing up in advance to an industry code of conduct that aligns with GDPR standards, so it could be useful to review your supplier’s position on these regulations (3).
  • Carry out a risk assessment to determine the level of risk you could pose to individuals should your data be compromised, to understand if you need to take further measures to protect that data.
  • If you’re handling large amounts of personal information about individuals then you may need to appoint a Data Protection Officer (DPO). Companies involved in large-scale monitoring, CCTV recording or profiling will certainly need to consider this.
  • Be sure about where your data and applications are stored if you are working with a cloud provider – is that data ever moved out of the EEA? What does your contract say about data residency guarantees?

Carrenza are holding a number of events on GDPR to help you get to grips with the new regulations and how it can affect you.

We are delivering these events in conjunction with Grant Thornton, giving you the opportunity to hear from experts in the industry about the impact of GDPR and how to get ready for May 2018.

Find out more about the events here



Register to attend our next GDPR sessions, held in partnership with Grant Thornton on the following dates:

Wednesday, 14 June / Amsterdam

Wednesday, 21 June / London


Delivered by HPE and Carrenza

Carrenza is a HPE Silver PartnerReady Service Provider, delivering hosting and cloud services to customers across the UK and Europe.  Powered by HPE products and technologies, HPE Service Provider partners deliver a wide range of services, including dedicated hosting, hybrid cloud hosting, managed hosting, application specific hosting for mission-critical applications.  HPE supports Carrenza in delivering its unique, UK based Multi-Cloud solution through joint go-to-market initiatives and sales engagement.

Please share:

Enjoy this blog? Please spread the word :)