What Cloud Providers Need to Know About GDPR Compliance for US Companies

By July 26, 2018 Data Governance
gdpr compliance for us companies

Are you a US-based cloud provider and are yet to comply with the EU’s General Data Protection Regulation?

You need to abide by this new directive to avoid hefty fines and penalties.

But your company is based in the US, why should you comply with a European Union law?

Well, most business owners think that they don’t need to worry about the GDPR because their companies are based in the United States. But the truth is that the GDPR applies to every company that does business with the EU or the European Economic Area (EEA).

In this piece, we’ll look at what you need to know about GDPR compliance for US companies. But before that, let’s explain what GDPR is.

What’s the GDPR?

The General Data Protection Regulation is a new EU legislation that seeks to regulate data collection and security of personal information of the EU and EEA citizens.

Simply put, GDPR is a law that seeks to control how organizations collect, store, process, and use EU or EEA data.

The law was adopted on 14th April 2016 and came into force on 25th May 2018.

Under this new legislation, organizations cannot collect, store, manage, or use personal information of an EU resident or citizen without their consent. The law enshrines certain rights which data subjects have to their information, including:

  • Consenting to the collection, storage, and processing of personal information on a case by case basis
  • Knowing why, where, and how their data is being processed and used
  • Ability to opt out of data collection, storage, or processing at any time
  • The right to have data held by a company changed to reflect the actual condition
  • The right to copy or move personal data from one source to another (data portability)
  • The right to have information deleted entirely

The personal information in question includes names, email addresses, photographs, birth-dates, medical data, phone numbers, and any other information that you can use directly or indirectly to identify the data subject.

GDPR Compliance for US Companies

The GDPR is applicable in the EU and EAA, of course, but it also affects foreign companies that deal with or process sensitive data from EU or EAA subjects–which includes customers, end users, and employees.

This means that US companies that do business in Europe are affected by the new EU law.

Are US-Based Firms Without EU Ties Exempted from This Law?

Even if your company has no direct EU operations, you still need to comply with the EU directive.


First, the GDPR compliance will make it easy for you to do business with US-based firms that have ties with the EU. Compliance will also incorporate self-governance into the company and reduce regular interventions by the enforcing authority.

Potential clients will also trust your company more, and this will make them more willing to share their personal information with your company.

Abiding by the GDPR will also make it easy for your company to expand to Europe and other regions that are affected by the EU law

The Specific Rules a US-Based Cloud Provider Must Follow

Cloud-service companies should be among the first companies to comply with the GDPR.

To be GDPR compliant, a cloud provider must follow the following rules:

  • Invest in a system that allows data subjects to see and even delete information that concerns them when necessary.
  • Report data breaches that pose a risk to customers to the relevant data privacy supervisory authority within 72 hours
  • Make data policies clear and easy to read and understand
  • Comply with the “privacy by design” principles

Besides, since your cloud service company handles sensitive data on and monitors data subjects systematically on a large scale or has more than 250 employees, you’ll also be required to hire or outsource a data protection officer (DPO).

According to Article 29 Working Party (WP29), a DPO will play the following roles:

  • Educate firms and employees about the new EU law and the protection of personal information.
  • Help firms to address data protection problems proactively
  • Train employees involved in collecting and processing Personally Identifiable Information (PII)
  • Act as the contact point for the firm and the European Union’s data privacy supervisory authority

The DPO should also inform the customers how your firm is using their personal information and the security measures put in place to protect it. The officer manages all processes and records related to data collection and processing.

What Happens If a US-Based Company Doesn’t Comply with the GDPR?

According to the EU, non-compliance could lead to penalties or fines of up to 20 million euros. Some violations could also result in criminal charges that could lead to a jail term.

The EU is unlikely to start imposing these fines and penalties right away. Why?

Well, the interpretation of the new EU law is still vague, and this makes it hard for most organizations to know for sure if they comply.

The EU is more likely to go slow at first and focus on large corporations, but you shouldn’t take chances.

Tips to Stay on the Safe Side?

Here are some tips that can help US-based cloud providers prepare for GDPR compliance:

Understand the Law

The first step to compliance is to understand what the General Data Protection Regulation is all about and how it affects your company. This way, you can implement the necessary changes with confidence.

Audit Data

US companies also need to learn more about the data they have: who collects it, where it’s located, who can access it, and how much personal information they have.

Auditing data will help the US cloud providers come up with reliable systems that will keep a lid on sensitive data.

Give Customers Control

US companies should introduce new policies and regulations that make customers feel that they’re in control of their data.

These companies should also introduce new systems that allow data subjects to define they can use the data they collect.

Commitment to the GDPR Compliance

US company owners should not let the DPO and the compliance department do all the work.

Everyone in their organization should be aware of the implications of the EU law. This will make the compliance process smooth.

Wrapping Up

The General Data Protection Regulation will affect all organizations, corporations, public authorities and individuals that do business with the EU. Therefore, you should ensure your cloud-service company is GDPR compliant.

Our comprehensive guide and essential tips on GDPR compliance for US companies will certainly make the process easy and successful.

Feel free to contact us if you have any questions or are in need of GDPR consulting.