GDPR, Cloud and the shared responsibility model

The GDPR (General Data Protection Regulation) provides organizations that process data through cloud services with some unique challenges and opportunities.
The GDPR aims primarily to give control back to citizens and residents over their personal data, and it will begin to take effect on 25 May 2018.
Before talking about the GDPR obligations, let us talk a little bit about the cloud shared responsibility model:

From the above table it is easier to understand that both the customer and the cloud service provider have clear responsibilities.
The cloud service provider is responsible for the physical protection (and data center locations) and over the infrastructure layers (beside the operating system in IaaS model).
The customer is the data owner, and as such, he is responsible for access permissions and auditing. On IaaS and PaaS models, the customer is also responsible for the application layer in terms of access controls, hardening and configuration, encryption, etc.
This model is important to understand, because the GDPR has specific requirements that the cloud service provider is not responsible for, and any organization storing/processing private data, needs to be aware of and prepare accordingly in-order to be compliant with the GDPR.

Main GDPR requirements related to cloud services:

 

Eyal Estrin
Eyal Estrin is a Cloud Architect.
He joined IUCC in December 2017 and his main focus is promoting and supporting cloud services in Universities in Israel. He brings with him more than 20 years of experience in the IT and information security field.
Follow him at @eyalestrin