How Top Cloud Providers are Responding to GDPR

So, GDPR is here and a lot of people are overwhelmed. There has been plenty of time to prepare, but potential fines and regulatory demands are always difficult to deal with. Cloud infrastructure providers have certainly had their hands full, to say the least. Cloud GDPR compliance focuses primarily on the provider, but users do have some responsibility as well.

Providers act as Processors, while customers are considered controllers of personal data. GDPR places specific responsibilities on both parties, but processors do have more burden. The ICO states:

• If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
• However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

It’s important to know how cloud providers are reacting to these changes. Many organizations are changing their entire terms of service to be completely GDPR compliant, even for US citizens. Below we’ve compiled some of the responses for the top 3 cloud infrastructure providers, AWS, Azure, and Google Cloud Platform.

Widget not in any sidebars

AWS

AWS recently announced, via blog post, that they have made their GDPR Data Processing Addendum part of their online service terms. They say that all AWS customers, globally, can rely on their AWS GDPR DPA. They added EU models to their Data Processing Addendum, which was approved by the EU data protection authorities.

AWS does not require any extra engagement from their customers, as they have been GDPR compliant for over a year and it is built into their service terms. AWS assures that they will only process customer data in accordance with customer instructions. They also implemented technical and organizations for the AWS network.

In addition to their general cloud compliance, they have also ensured responsibility for their managed services like Amazon Redshift. Since Amazon handles basic security tasks, this is important to note.

Azure

Microsoft created a comprehensive page, called the “Trust Center,” to go over changes and compliance related to GDPR. They allow you to choose what Microsoft services you use, such as 365 or Azure, so you can have personalized information to make sure you stay compliant. This is a great tool for fully understanding what GDPR means for your solutions They also released a webcast.

Microsoft has also created a Compliance Manager tool. This enables users to track, assign, and verify your organization’s compliance activities for Microsoft services. Microsoft says of the Compliance Manager:

“Combines the detailed information provided by Microsoft to auditors and regulators as part of various third-party audits of Microsoft ‘s cloud services against various standards and information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU General Data Protection Regulation, or GDPR) with your own self-assessment of your organization’s compliance with these standards and regulations.”

Google Cloud Platform

Although Google itself is potentially getting in some trouble for GDPR, the cloud platform commits to the new laws. They recently updated their data processing terms to reflect GDPR and to go over their commitment to being compliant as the Processor under GDPR.

Google released a brief video going over their GDPR compliance. In their white paper, they state, “Google employs security and privacy professionals that include some of the world’s foremost experts in information,
application, and network security. This team is tasked with maintaining the company’s defense systems, developing
security review processes, building security infrastructure, and implementing Google’s security policies.”

Widget not in any sidebars