EU’s New Data Privacy Laws: What They Will Mean for the Cloud and You

Sabi Goriawala / Co-Founder & VP, Marketing, PerfectCloud

Cloud computing may come with plenty of benefits, but it also comes with plenty of security and privacy concerns. These include malicious insiders, BYOD, data breaches from vulnerabilities, third-party apps and APIs. Risk also comes from the lack of established industry standards among cloud providers as well as the lack of regulations across Europe.

That may all change if the new EU General Data Protection Regulation (GDPR) requirements are implemented. Negotiations are beginning this month to consolidate all the EU-member nations data protection regulations into a single EU law.  A recent Sophos study found 84 percent of cloud end-users agreed Europe needed stronger data protection laws, other research discovered that only 1/100 cloud providers are ready to embrace the new regulations.

New Regulation Impact and How to Prepare

The GDPR sets uniform standards across all of Europe instead of letting countries opt-in to which directives they want to follow. Non-compliance can net fines as large as €100m or 5 percent of your global turnover, whichever is highest. The overall aim is to enhance cloud security and protect cloud users, and the impact is expected to be huge.

Liability for data breaches will now be shared by data controllers, or companies that own the data, as well as data processors, or cloud providers or hosting companies that manage the data. That means data controllers need to ensure the providers they choose are following the new regulations before they even sign on.

That also means cloud providers are required to disclose how their data processing is conducted and what security measures they use — information that’s typically been held close to the chest. And that’s just the beginning. The new regulations also require:

  • Consent to collect data from individuals who “opt-in,” and making it easy for individuals to “opt-out”
  • The “Right to Erasure” which deletes all customer data at the customer’s request
  • A clear privacy policy be provided to all data subjects
  • Subjects receive a copy of their personal data upon request
  • An annual risk analysis that outlines risks as well as steps taken to correct them
  • Each country establish a Single Data Protection Authority
  • Appointment of a Data Protection Officer for organizations that process more than 5,000 data subjects
  • Full documentation of any breach, along with immediate notification of that breach to the proper authority

Additional requirements come with added administrative burdens. When contracts are terminated, providers must hand over all data to the data controllers. Providers must obtain permission from the client before enlisting any 3rd party services. One more requirement is ensuring the appropriate Data Protection Supervisory Authority and the data controller have all the info they need to ensure compliance.

Instead of a one-size-fits-all approach to securing data, cloud providers will be required to customize security levels to match the nature of the personal data being processed. More critical data will thus be likely to receive more stringent protection.

How PerfectCloud Can Help

Enhanced cloud privacy and security is the aim of the new GDPR, and it’s also the overall benefit of PerfectCloud. Our advanced cloud security solution protects both data controllers as well as data processors by encrypting all data, a move that ensures your company can’t be held liable even if IT systems are breached. Additional protection comes from our strong key management and our zero-knowledge, token-less patented security architecture. You control it all from a single dashboard. And yes, we’re compliant with current EU directives – and will continue to comply when the new EU regulations go into effect.


To learn more about PerfectCloud’s Cloud IDM and Encryption solutions, join us at Identity Management 2014 at the Hotel Russell, London (12th November) or visit