Connect with us

Hi, what are you looking for?


Cloud Security

94% of Cloud Services Not GDPR Compliant: Report

According to an analysis of more than 20,000 cloud services, only 6% can claim to be fully compliant with the European Union’s General Data Protection Regulation (GDPR).

According to an analysis of more than 20,000 cloud services, only 6% can claim to be fully compliant with the European Union’s General Data Protection Regulation (GDPR).

This new standardized data protection law will be implemented by all member states of the European Union by spring 2018 at the latest. Technically, this will include the UK. Despite the Brexit referendum, the UK will remain a full member of the Union for two years following invocation of Article 50 to commence the leaving procedure. Article 50 has not yet been invoked.

An easy automatic assumption is that putting data into the cloud removes responsibility for that data and places it on the cloud provider. This is not so. The GDPR draws a distinction between the data controller and the data operator — and the controller always has primary responsibility. Where a company stores or uses data in the cloud, that company remains the data controller and is responsible for that data under GDPR. Furthermore, the GDPR is not limited by the nationality of the company concerned, nor the geographic location of the cloud service — if a European citizen’s personal data is involved, then the GDPR is also involved.

What this effectively means is that placing European personal data within the cloud reduces a company’s GDPR compliance to that of the cloud provider — and according to the Skyhigh analysis, this is a worrying concern. “Cloud remains essential to all businesses, but the EU GDPR quashes the notion of using cloud services straight out of the box,” says Nigel Hawthorn, Skyhigh Networks’ chief European spokesperson. “Put simply, the standard terms and conditions associated with almost all cloud services are not suitable for companies doing business in Europe and will need to be reviewed, negotiated or rejected outright once the EU GDPR is enforced.”

In more detail, 84% of cloud services do not immediately delete customer data on termination of contract. If any of that data contains European personal information, then that immediately brings the cloud service into a breach of GDPR.

Skyhigh also notes that only 1% of cloud services provide notification of security incidents within 24 hours. GDPR requires data controllers (remember, the cloud customer rather than the cloud provider) to notify a relevant data protection regulator within 72 hours. It’s clear that it will be difficult, if not simply impossible, for a large number of cloud service users to meet the GDPR breach notification requirement.

User IP is another concern. Skyhigh notes that 58% of cloud services provide no guarantee regarding IP ownership. Some take ownership of all uploaded IP while others simply fail to specify what happens to it. At one level this is a simple business issue; but again, if it includes European personal data then the GDPR could be involved.

Advertisement. Scroll to continue reading.

There are two issues to consider over cloud services and GDPR. The first is that sanctions are massively increased over the earlier data protection fines: a fine can now be up to €20 million or 4% of global annual turnover for the preceding financial year. The second, however, is that regulators are almost certain to take ‘effort’ into account. If a company can show that it has made serious effort to be GDPR compliant, it is unlikely that the regulators will seek maximum fines.

“When considering EU GDPR, it’s not as simple as ‘compliant or non-complaint’, ‘safe or unsafe’,” continued Hawthorn. “The regulation consists of more than 100 articles and is a complex matter which requires each business to make its own judgement call after evaluating the many variables.” What all this means, in effect, is that GDPR compliance is just another factor, albeit a serious factor, in an existing major problem for CISOs: cloud vendor management.

Skyhigh offers a free service to its customers that provides an assessment of their cloud providers’ GDPR compliance.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.