The European General Data Protection Regulation – a major opportunity for cloud providers

New AIIM whitepaper highlights the potential to deliver EU-wide services under a single operations model, but also the risk if organisations do not comply. The forthcoming European General Data Protection Regulation (GDPR) offers a single law for organisations to follow, but increases fines up to 100 million Euros if found guilty of a ‘negligent breach’ of privacy or loss of data.

  • Monday, 4th August 2014 Posted 10 years ago in by Phil Alsop

However, the new legislation is a major opportunity for cloud-providers according to AIIM, with major changes brought in as to how customer data regarding EU citizens is stored and how organisations must respond if a data breach occurs.


AIIM is the leading global organisation for the information management profession and its new whitepaper, “Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud”, explains the implications for both organisations and cloud providers, and also summarises current legislation in 11 of the 28 EU countries.


The law is the first significant change to European data privacy legislation since 1995, providing a single law for data protection to cover the whole of the EU, replacing the previous directive that has been implemented differently in each member state. The new legislation is likely to be passed before the end of 2014, and organisations will be given 2 years to reach compliance (early 2017). In the meantime, national laws for data privacy (as outlined in the appendices to the AIIM report) need to be complied with as a minimum.


“This is a landmark piece of regulation regarding data protection and data privacy, with major implications for cloud storage,” said AIIM spokesperson and the paper’s author, Mike Davis. “It applies to personal data on EU citizens wherever that data is stored across the world. Failure to comply will have serious legal and financial repercussion for an organisation. But it will also enable those organisations to make risk-based decisions about cloud versus on-premise content storage, allowing them to evaluate providers of cloud services to ensure that they will stay compliant with applicable law.”


The GDPR also extends the definition of personal data to include email address(es), the IP address of computer(s) used, and any posts on social media sites. It covers all organisations collecting and processing data of EU citizens and calls upon those organisations to:
· Collect explicit consent to collect data from data subjects (the data subjects must ‘opt-in’) and facilitate the subject’s wish to withdraw that consent.
· Be able to delete all customer data at the request of the data subject, a provision known as “Right to Erasure”, unless there is a legitimate reason for its retention.
· Provide data subjects with a clear privacy policy.


The data controller and data processor (the cloud provider) will have joint liability for any breach of the regulation, and if it is ruled that a ‘negligent breach’ of privacy or loss of data has occurred, the offending organisation can be fined up to five per cent of annual revenues to a maximum of 100 million Euros.


“The new regulation poses serious challenges to organisations using cloud providers for storage of personal data, which means those organisations will be focusing their attention much more on providers that are compliant with the new legislation,” continued Davis. “This could be an important differentiator and major opportunity for cloud providers, both in Europe and the US, to align their cloud security with the new regulation.”


The AIIM white paper, Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud is available here. The report was underwritten by Hyland - Creator of OnBase, OpenText and Workshare.