While 25th of May is coming, more and more myths around and about the GDPR appear. Many of them are considering the cloud as a ‘safe harbor’ from the GDPR requirements. Still, standards of the data protection established by the Regulation will be covering also a personal data which is storaged in the cloud. The legal and organizational steps should be taken in order to ensure compliance of cloud services with the GDPR will be considered.

2. times word ‘cloud’ is mentioned in the GDPR

3. Scope of the GDPR
Art. 3 This Regulation applies to the processing of
personal data in the context of the activities of an
establishment of a controller or a processor in the
Union, regardless of whether the processing takes
place in the Union or not.
Regardless of whether data is processed on the EU territory,
outside its borders or in the cloud, the GDPR provisions will
apply to the controller or processor(s). The key factors are:
A) the fact of the processing of personal data of EU citizens;
B) control over the observance of the appropriate standards
of processing and protection
.

4. Current state of
compliance
Study showed that only 1
percent of Cloud providers had
data practices complying with
the regulations that will soon be
cemented into place.

5. How the things will work in UA
Subject (data
owner)
Controller (data
collector)
Processor (cloud
services
provider)
Processor (s)
(FOP)

6. Processing in the
understanding of
GDPR
‘processing’ means any operation or
set of operations which is performed
on personal data or on sets of
personal data, whether or not by
automated means, such as collection,
recording, organisation, structuring,
storage, adaptation or alteration,
retrieval, consultation, use, disclosure
by transmission, dissemination or
otherwise making available, alignment
or combination, restriction, erasure or
destruction;

7. What can be the requirements of controller?
• Breach notification obligation
• Data ownership (cloud providers confirm that, according to the host-
countries’ laws, your company retains ownership of the transferred data)
• Data portability (to provide the technical capability)
• Implementation of the data protection by design
• Risk management (DPIA, right to audit)

8. Steps to get in
accordance with
GDPR
To be able to show that the
activities of the Company are
compliant with the GDPR:
-concluding data protection
agreements;
-elaboration of the Data Protection
Policy;
-appointment of the Data
Protection Officer etc.

9. How the cloud providers can demonstrate compliance?
• To take all the needed legal and organization measures;
• To perform Data Protection Impact Assessment;
• By being ISO 27001 certified (information security
management system);
• By being ISO 27018 certified (code of practice for
protection of personally identifiable information (PII) in
public clouds acting as PII processors).

10. “You should also seek independent legal advice relating to your status and obligations under the
GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation”
Google Cloud & the General Data Protection Regulation (GDPR) White Paper

11. Thank you
for your
attention!
Іван Городиський
Dexis Partners
097 945 1687
ivan@dexis.partners