GDPR in the Cloud – knowing your obligations

Inside and outside of Europe, everyone’s talking about the General Data Protection Regulation (GDPR) and what it means to their organisation. But whatever your state of readiness for March 2018, GDPR shouldn’t just be a nerve-shredding deadline. Approaching GDPR positively actually provides a great opportunity for long-term improvements in cloud operations, not to mention in records management and digital preservation.

There’s already plenty of information out there for decision makers on how to prepare for GDPR; but not necessarily for everyone who uses (or is thinking of using) the cloud for long-term digital preservation. This can remain a confusing area for businesses to meet their GDPR compliance requirements, when documents and other records are being held by third party vendors.

Here’s the small print.  GDPR article 28 states that controllers “shall use only processors providing sufficient guarantees to (…) meet the requirements of this Regulation.” What does that mean? Well, a business’ choice of vendor is clearly critical to meeting your own obligations.  But what if they then use another processor whose service is in the cloud? That can make it harder for you to make your cloud services comply with GDPR. All the links in the chain have to be strong, and if one breaks then the consequences are on you.

Let’s take Amazon Web Services (AWS) as an example – there’s good news for anyone using a processor on AWS; they’ve already stated their position that “all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018”. But it’s worth checking that your processors are making similar preparations.

Holding information in the cloud will also raise questions about territorial scope and transfers of personal data.  It’s important to note that transfers outside of the EU are allowed but you should pay careful attention to how your processor meets the transfer obligations of articles 44-46.

Now to digital preservation. GDPR has a strong focus on the ‘right to access’ through preventing ‘accidental or unlawful destruction’, and this last point is actually highly significant. Although many GDPR discussions refer to the ‘right to be forgotten’, it is also critical to ensure valuable information is preserved and protected for the long-term, when appropriate or required to do so.

So, a digital preservation controller now needs to comply with all of the GDPR obligations as well as meeting the needs of protecting and preserving information for the long-term. But ultimately, GDPR can be a positive driver for the successful long-term preservation of information which includes digital preservation, and using a SaaS provider in the cloud.

Preparing for GDPR means you will need to understand the information you hold a little better, but that does mean you can use it more effectively.  At the same time, you can have more confidence in the accountability and security of those you choose to engage. Bring on 2018!

By Mike Quinn, CEO Preservica

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at