28 March 2018

Your cloud GDPR-proof

The market for cloud services will continue to grow in 2018. Working in the cloud offers many advantages, such as being able to get to your documents and applications anywhere and at any time. It is important, however, to check if your cloud complies with the GDPR. But what exactly makes your cloud GDPR proof?

The GDPR (General Data Protection Regulation) will take effect on May 25 2018. It has far-reaching consequences for all kinds of organisations, including cloud providers and their clients. Organisations are going to have to deal with stricter legislation. In order to comply with the GDPR organisations need to have an appropriate data protection policy. As must your cloud provider. In the end, you remain responsible for the data processing carried out by your cloud provider. Fines for offences can be significant: up to a maximum four percent of the annual global turnover or twenty million euro.


It is important that your cloud provider takes measures to ensure data is protected, and they need to have an appropriate data protection policy. To prove such a data protection policy is in place for your data, certifications can be used. A certification is not definitive proof that a business complies with the GDPR, but is does help in complying with the GDPR. Many things that are audited for a certification also need to be in order for the GDPR.

ISO 27001 certification

ISO 27001 is the international standard when it comes to information security. One of the components of ISO 27001 is compliance with laws and regulations. This includes the GDPR. In short, the GDPR is included in the management system and an organisation that is ISO 27001 certified, automatically complies. If your cloud provider has an ISO 27001 certification, it helps to prove the processing systems used also comply with the GDPR.

NEN 7510 certification

Whenever most health care and welfare institutions process personal health care data, they need to comply with NEN 7510. This is because NEN 7510 is applicable in various laws and regulations as the standard concerning health care data security. If you choose for a cloud provider that is NEN 7510 certified, this is a strong indicator that all processing activities done by your provider will comply with the GDPR.

ISAE 3402 report

In the GDPR it is stated that when you outsource your IT processes to a cloud provider, the final responsibility for the data processing remains with you. You want to be sure that the outsourced processes, your IT environment for example, are properly managed by the cloud provider. An ISAE 3402 report will offer you the certainty that an independent auditor has established that the service organisation indeed controls and manages your processes as it should. A welcome reassurance!

A cloud provider must be able to prove how they comply with the GDPR. All the above certifications assist a cloud provider to show that the GDPR is being complied with. And that is also what they do for you. You are responsible for your choice of cloud. When a provider cannot prove it has an appropriate data protection policy, it would be better to look for another (cloud) service provider.

Do you have any other questions or would you like to know more about the GDPR? Please contact us.