EU General Data Protection Regulation 2016: Impact on Cloud Computing

“The General Data Protection Regulation” released in 2016… A White Paper


WHAT: Clingstone publishes a White Paper “The General Data Protection Regulation“.

FOR WHOM: the White Paper targets a senior level of Business and IT decision-makers who deal with or think about engaging Clouds.If your company is a Cloud provider that collects or stores data, including private data, you have to learn your regulated liability if another Cloud provider, which you have hired, allowed the breach of private data received from you.

This White Paper will be also of interest to Enterprise and Solutions Architects in both Business and Technology, as well as to some financial and marketing experts who are responsible for compliance with EU regulations.

WHY: this White Paper outlines:

  • 1) not only new compliance regime, but also a new meaning of breaching personal data, which was not adopted in the industry before
  • 2) that all Cloud providers – data collectors and processors – now need to provide special means for private data subjects  in order for obtaining their explicit and inambiguous agreements on the use of the private data
  • 3) consent-based limitations on the use of results of private data analysis, which impacts Big Data processing
  • 4) a significant fine for breaching private data, which is at a magnitude hire than before.


slide5 Executive Summary

 The General Data Protection Regulation (GDPR) was issued in the Spring of 2016 by EU as one of the first documents aiming to protect privacy and business ownership from the risks of technology outsourcing, such as Cloud Computing.

The GDPR outlines aspects of private data management in corporate environments and defines responsibility for breaching privacy by unauthorised sharing or physical loss of data. A significant ruling is dedicated to collecting the data for one purpose, but using the information extracted from this data for other purposes.

It is one of the first precedents where both a collector of data and data analyser are held accountable in cases of privacy breaches. At the same time, the data subject/user has obtained the right for material compensation for any tangible or intangible losses it suffers as a result of privacy breaches. The fines for the incompliance with the GDPR are increased by 400 times in comparison to the current fines exercised in the EU.

This White Paper not only reviews the statements of the GDPR, but also links them with the business cases and current practice of using Cloud Computing in the industry. We point out implications to organisations that already use Cloud Computing or are only planning to do so.

Clingstone Limited, the Business and Technology Management Consulting company, recognises the risks that companies face with regards to this new regulation. In the remaining two years before the GDPR comes into force, in order to avoid financial penalties in the magnitude of €20 M or 4% of turnover, we recommend for users of Clouds the following:

  • 1) Create a map of all sources of private data collected in the organisation
  • 2) If the organisation exchanges collected private data with other organisations, including Clouds, create a map of such data and organisations
  • 3) Clearly establish organisational data ownership
  • 4) Identify problematic areas where private data is not used in line with intentions initially agreed with the data subjects. Also, identify problematic areas where private data is used with no agreements with data subjects at all
  • 5) Setup and implement remediation programmes that enable compliance with this new regulation.

In the following pages we will cover some of the areas of particular compliance concerns that require immediate attention where Clingstone may provide required expertise.