Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Does cloud-based data storage still work under GDPR?

Most companies looking for a third-party compliance solution now opt to have their data stored on cloud servers located in the jurisdictions where their employees are located and where their business operations take place. However, some companies prefer to host data on in-house, installed solutions.

Installed solutions can create a lot of extra work, liability, downtime and cost to customers. And yet there are advantages to using in-house servers, as well as some preference towards using them in light of recent privacy regulations and scandals.

For example, under the EU’s GDPR, companies are facing new concerns about cloud storage. Providers, data controllers and users are equally responsible for violations and data breaches. This forces providers such as third-party compliance vendors to raise their standards in order to meet the obligations of the GDPR and be equipped to do business with customers.

Under GDPR, companies need to ask new questions for providers and ultimately, given the shared liability, new contractual terms should offer some comfort that cloud providers will protect their data.

Following in the steps of the EU, India may move forward with new privacy regulation that would likely restrict data to localized storage. That would require major investments from large public cloud providers such as Microsoft, Google and Amazon. One of the pending questions is with respect to the level of foreign ownership the public cloud providers will be able to have once established locally in India.

According to SysGen, in-house servers can benefit companies by eliminating the need to rely on internet connection to access data and by allowing companies to secure physical control over their data. However, some of the biggest downsides associated with installed solutions include the exposure to major data loss and structural destruction from a natural disaster, should one occur. This is something companies should always consider, especially if they live in an area where hurricanes or other natural disasters are common. Further, while there may be a cost benefit to small or mid-sized companies for using installed solutions, there is great risk in uptime or recovery time guarantees should the system fail.

When a solution is hosted through a cloud-based server, there is no need for on-premise hardware. This is a big benefit for larger companies who cannot afford for a system to go down for long periods of time without recovery. There is also greater flexibility with respect to storage on cloud solutions, allowing customers to only pay for the storage they use, a feature that is not offered with an installed server. While a cloud-based model relies on internet access, it offers the benefit of being able to access your data from any device where internet can be obtained. Also, data can be easily and frequently backed up on a cloud server.

If a company is concerned about backup copies of its data when using a cloud server, some vendors may be able to accommodate them by providing copies that saved as backup on the company’s servers (whether installed or otherwise) where other data may be stored.

In addition to deciding which type of server to implement when engaging third party providers, companies must also consider the privacy regulations and implications on the types of infrastructures companies choose to stand up. While this may not be a high priority or concern for small firms operating in one jurisdiction, it is inevitable for larger companies operating in multiple countries.

Eventually, a large company operating in multiple jurisdictions will have to consider not only costs and benefits with respect to the types of server options, but also regulatory requirements and implications for maintaining data locally on those servers, whether on cloud or installed servers. In some cases, regulatory considerations may influence or even be the ultimate factor in why a company chooses one type of server over the other.

The complexities of new and evolving privacy regulations will add to the already complex discussions and decisions that both business and compliance professionals need to make as part of their technical infrastructure and implementations.


Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.

Share this post


Comments are closed for this article!