As we already discussed in our previous blog post, the GDPR is a regulation that is not bound to any country in the European Union specifically, nor is it meant for any particular technology or type of business. It applies to all countries within the EU as well as to all companies providing services to and interacting with EU citizens and businesses. In short: the GDPR applies to a majority of all the enterprises there are on this planet. At Nordcloud of course, our angle to look at this is very much centered around public cloud services - our core business. This is why we want to start right there with the 2nd blog post in the GDPR series: what is the impact of that new legislation to the public cloud service provider market? What have the providers done so far and how does it impact public cloud customers?
The bar is raised!
Looking back into late 2016, there were three types of standards that a cloud provider could certify against / comply with when it came to the european / EU market:
Globally relevant Security Regulations and Frameworks
Industry relevant Security Standards
Country specific Security Legislations and Frameworks
These were bringing a very complex and hard to follow up landscape of certifications and compliance levels to keep track of - both for the cloud provider, and their customers. We have seen not so much struggle with the ISO 27001 and industry standars of course - but in a continent so fractioned as Europe, it’s of course hard to comply with every local legislation around data protection and IT Security. It is therefore beneficial, that the European Union agreed on a fundamental standard to be applied “across the board” for all of the member states.
CISPE Code of Conduct
Since the GDPR is not officially binding before May 2018, it would be quite impossible to certify against it already. However, every business and especially the public cloud providers have to get ready to certify once the law becomes relevant. To allow for the establishment of trust and to enable their customers in setting up end-2-end compliance already today, the initiative of the CISPE Code of Conduct has been called to life.This data protection code aligns with the strict requirements laid out in the GDPR framework to help cloud infrastructure providers comply and so avoid penalties while also offering a framework to help customers and end users to select cloud providers and trust their services. The CISPE Code of Conduct represents an effective, easily accessed framework for complying with the EU’s GDPR. While it excludes the re-use of customer data, it enables data storage and processing exclusively within the EU and identifies cloud infrastructure services suitable for different types of data processing and ultimately helps businesses and citizens to retain control of their personal and sensitive data.
The Big Three: AWS, Azure, Google
So when looking at the cloud providers we at Nordcloud are working with and who are by far the dominant ones in Europe, the question is: how are Amazon Web Services, Microsoft Azure and Google Cloud Platform doing around compliance with the GDPR? What have they been up to lately in order to satisfy their customers’ demand for a solid and audit-ready service?
Amazon Web Services are excelling in compliance to data privacy regulations and have for example been the first to join the well known CISPE code of conduct and have since long complied with a variety of EU standards and regulations. You can AWS’s take on the GDPR here and you should definitely check out their country specific regulation compliance in e.g. Germany or the United Kingdom.
Microsoft Azure in turn - given they belong to a larger corporation that spans well beyond public cloud services - have taken a different approach. The IT giant from Redmond, Washington has set up a dedicated GDPR section to cover all their products and services. You can find a good starting point here and with the huge ecoysystem of information built up by Microsoft on the matter, we recommend their content as a solid starting point to also educate yourself around GDPR.
Google Cloud Platform has committed to full GDPR support by May 2018. Google has taken the approach of focusing on the data protection and cyber security aspect of the impending legislation. Here's a quote from Diane Greene, SVP of Google Cloud:
“Google is committed to having full support for that (GDPR) by May 2018, and we will put that in your contracts that we are committed to that. My commitment to you is that we’re going to build together, we’re going to have shared responsibility. We’re committed to open, rather than locking you in. Security is so important today, to almost every board member, every C-Suite and every engineer, nobody wants to be hacked."
*Updated May 12th, 2017
After having looked at the cloud providers in this post, we will focus on country-specific implications of the GDPR, what you as a customer of public cloud services will have to look out for in this context and especially also we will dedicate a blog post to what we'll do at Nordcloud. Stay tuned by following @NordcloudHQ and keeping close to us and our teams on LinkedIn.