Preparation needs to start now for imminent European data protection changes

This s a guest blog Mike Davis, author of a report published by AIIM.


The forthcoming European General Data Protection Regulation (GDPR) changes signal a major opportunity for cloud providers to deliver EU-wide services under a single operations model.

Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud is an AIIM report that details the changes the IT industry will need to make in response to imminent pan-European data protection changes.

These are changes that will affect anyone interested in hosting content in the cloud, be they service provider or end user.

The study examines the forthcoming GDPR, which is set to inaugurate major change in how customer data regarding EU citizens is stored and how organisations must respond if a data breach occurs.

The change, effectively the creation of a single European data law, will mean organisations will incur fines of up to €100 million if found guilty of a ‘negligent breach’ of privacy or loss of data.

That is a serious threat. However, GDPR also presents a number of opportunities and could clarify a lot of issues, as well as offer prospects for long-term planning by cloud specialists.

Aim and scope

The purpose of the GDPR is to provide a single law for data protection to cover the whole of the EU, instead of the present Directive that has ended up being implemented differently in each member state.

The GDPR will also see the establishment of a European Data Protection Board to oversee the administration of the Regulation, a move Brussels is confident will make it easier for European and non-European companies to comply with data protection requirements.

The GDPR also covers organisations operating in Europe irrespective of where data is physically stored. The new regulation is a major opportunity for cloud providers to deliver EU-wide services under a single operations model; meanwhile it also means US based cloud firms need to demonstrate compliance with Europe’s new privacy operating model.

A broader definition of ‘personal’ data

In addition to a common approach to privacy, the GDPR covers privacy for cloud computing and social media, extending the definition of personal data to include email address(es), IP address of computer(s) and posts on social media sites.

That extension has implications for cloud-delivered services both users and cloud firms need to be aware of.

A GDPR-compliant plan of attack

Organisations need to set a GDPR compliant strategy in whichever part of Europe they operate in before the end of the transition period (currently 2017; track to see if this changes).

An important part of that work will be to establish GDPR-supportive procedures and start the process of gaining explicit consent for the collection and processing of customer data ready for the new regime.

If you’re a cloud provider, we recommend drafting a GDPR-compliant strategy, educating your staff on the implications of the changes and amending your contracts and provisioning to be fully compliant.

To sum up: if handled correctly, GDPR will help organisations make more informed decisions about cloud versus on-premise storage; while for the cloud services market, there may be opportunity to deliver truly pan-European services that customers can have assurance are privacy-safe.


The author is a Principal Analyst at msmd advisors and is the author of a new AIIM report on EU data issues study produced in collaboration with a London legal firm, Bird and Bird.