video icon
GDPR Webinar:Lessons learned in the past year

GDPR (General Data Protection Regulation) Compliance Requirements

The GDPR introduced strict requirements on how businesses should manage personal data in the cloud. Download the GDPR Cloud Security Requirements Checklist to learn the key requirements.

  • green tick

    Lawfulness, fairness, and transparency: personal data should be processed in a lawful, fair and transparent manner

  • green tick

    Limited purpose: personal data should be collected for specified, explicit and legitimate purposes and not further processed in a way not compatible with these

  • green tick

    Confidentiality and integrity: personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

  • green tick

    Data minimization: the collection of personal data should be limited and data collected must be relevant to accomplish a specific purpose

  • green tick

    Storage limitation: personal data shouldn’t be kept for longer than is necessary for the purposes for which such personal data is processed

  • green tick

    Accuracy: personal data stored and managed should be accurate and, where necessary, kept up to date

GDPR Compliance free eBook

Download the GDPR Cloud Security Requirements Checklist

Interested in learning more about getting your cloud-based file storage & sync ready for the GDPR? This free eBook from the cloud encryption company, Tresorit, helps you explore what the General Data Protection Regulation (GDPR) is, what are its requirements for processing personal data in the cloud and what key aspects businesses should to look into when choosing cloud storage services.

Download Now

Why the GDPR matters for your business?

May 25, 2018

The European Data Protection Regulation is applicable as of May 25th, 2018 in all member states

The General Data Protection Regulation (GDPR) is a comprehensive regulation that unifies data protection laws across all European Union member states. It defines an extended set of rights for European Union citizens and residents regarding their personal data. Consequently, it describes strict requirements for companies and organizations on collecting, storing, processing and managing personal data. Businesses have little time and a lot of challenges to comply with the requirements, as they have to adopt their existing processes and services they use to collect and handle the personally identifiable data of their employees and customers.

Who is affected by the GDPR?

The GDPR has a broad territorial scope. It applies not only to all organizations established in the EU that handles personal data but also to any non-EU established organization that processes personal data of individuals who are in the EU in order to: a. Offer them goods or services, irrespective of whether a payment is required; b. Monitor their behavior within the EU. The GDPR aims to protect personal data at all stages of data processing and it identifies two different entities that both have obligations: data controllers and data processors.

What are data controllers and data processors?

A data controller is an entity that determines the purposes, conditions, and means of the processing of personal data. For example, educational and research private and public institutions, healthcare services, or any business that manages the personal data of their employees and customers. On the other hand, a data processor processes personal data on behalf of the controller, such as a cloud provider (for example a Software-as-a-Service like CRM software). It is important, that a company can act both as a controller and processor, depending on the exact type and usage of data.

Personal data

The EU’s GDPR only applies to personal data, which is any piece of information that relates to an identifiable person.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (‘data subject’); such as a name, identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organizations should take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data”

– GDPR Article 32. Security of Processing

End-to-end encryption

End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while it’s transferred from one end system or device to another

How does encryption help with protecting data and compliance?

Encryption is underlined as an example of “appropriate technical and organizational measures” and an appropriate safeguard to protect data. The GDPR states that if the controller has implemented encryption to its personal data, in case of a data breach, affected personal data are likely unintelligible to those not authorized to access it. Hence, such data breach is unlikely to result in a risk to the rights and freedoms of affected natural persons. The result is that the controller may not be required to communicate the data breach to affected data subjects, under Article 34 GDPR. All in all, encryption reduces the risks of processing data in the cloud, as it reasonably makes re-identification of leaked personal data impossible with the right measures. The stronger the encryption algorithm is, the more it may reduce the liability of data controllers.

Does the GDPR differentiate between different methods of encryption?

The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) or application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talk about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user side only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with the correct efforts is infeasible. End-to-end encryption with client-side key management represents stronger protection for the personal data.

GDPR Webinar: Securing the cloud

Watch GDPR Webinar: Securing the cloud

The GDPR is the most comprehensive data protection regulation to date, radically changing the way how businesses should manage personal data. This webinar is a joint presentation by data protection lawyer Paolo Balboni, Prof, President of the European Privacy Association and cryptography expert Istvan Lam, Co-founder and CEO of Tresorit

Watch Now

Cloud security checklist for GDPR compliance

The GDPR requires companies to protect the personal data of their customers and employees at all stages of the data processing lifecycle. With more businesses adopting and using cloud-based tools for communication and collaboration, complying with this requirement is a challenge. According to a recent survey, 60% of enterprises plan to abandon their on-premises systems completely to switch to cloud-based, Software-as-a-Service tools in the next two years. Smaller companies are also migrating to the cloud: in 2017, the average number of cloud apps used by an SMB was estimated to be as many as seven. Choosing cloud-based services that help companies ensure and maintain GDPR compliance is not an easy task. Businesses need to take different technology and legal aspects into consideration when looking for a service provider. Our guide helps you with summarizing the 5 most important things to keep in mind.


What are the encryption technologies used by the provider?

While the GDPR does not explicitly talk about encryption methods, the way encryption keys are stored is important to decide whether the re-identification of persons from the leaked encrypted dataset is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user only (the provider never has access to plaintext encryption keys). Because of this, in case of a data breach, re-identification of persons from the end-to-end encrypted data is infeasible. This way, end-to-end encryption with client-side key management represents stronger protection for personal data.


What further security and control features does the provider offer?

Beyond strong encryption, the provider needs to take further steps to secure the data of their users. First and foremost, account security should be taken seriously. This includes managing user authentication securely, preferably with zero-knowledge methods. There are different levels of how securely a service provider treats your password. The highest level of password protection is the “zero-knowledge” method: your provider has zero-knowledge about your password. In this case, your password won’t be compromised if the service provider is hacked nor in the case of an employee leak.

According to surveys, a large part of data breaches is caused by employee errors or malicious employees. These incidents can include cases when work devices are lost or stolen, or when employees leak data on purpose. Make sure that your provider offers extensive data control and governance features to minimize the risks of these events. There are several useful features you should look for: permission management to set up granular access levels to personal and other sensitive data, the option to monitor staff’s activities related to files management such as who opened or deleted the files (audit trail), the possibility to create and monitor internal security policies related to data security, backup options like deleted file recovery, and device control tools. (access revoke, remote wipe, etc.).


Is the provider transparent about data residency and data protection?

The GDPR states that personal data should be processed lawfully, fairly, and in a transparent manner. This applies both to businesses managing personal data (data controllers) and cloud-based services they use (data processors). The data controller though has to make sure that the third-party services they use to meet these requirements, as according to the principle of accountability, the final responsibility and liability of protecting the data lies on them. The controller should be able to demonstrate compliance with all the principles relating to the processing of personal data.

Data residency is an essential aspect, too. Although the GDPR doesn’t specify whether the data should be stored in the EU, ensuring GDPR compliance is more straightforward if your provider stores your data in EU datacenters. When the provider uses third-country data-centers or sub-processors, additional guarantees are needed to ensure that your data is protected according to the same high standards as the EU prescribes with the GDPR.


Does the company provide binding documents on data protection?

To provide EU residents with stronger control over the privacy of their data, the GDPR unifies data protection regulations across all member states. This means that all companies who manage the personal data of EU residents have to adhere to its strict requirements.

In case you’re looking at an EU-based cloud solution provider, always look for proof that the company has already started to prepare their data management processes for the GDPR. This includes, among many other things, providing the required documents on data protection such as a clear and easy-to-understand Privacy Policy and Terms of Use, and beyond that, a Data Processing Agreement that they can sign with their business customers. If the cloud company is not located in the EU, you have to look for other proof beyond that. Make sure that the company:

  • is established in a country that received a data protection adequacy decision from the European Commission (for example, Tresorit is located in Switzerland, a country with adequacy status from the European Commission). or
  • is certified under the EU-US Privacy Shield, or
  • provides other adequate contractual guarantees that prove they have the same high level of protection as EU companies (for example, Standard Contractual Clauses adopted by the European Commission, or Binding Corporate Rules (BCRs) approved by the procedure detailed in GDPR Article 47

How does the company prove that the above practices are enforced?

The GDPR is revolutionary because it applies a risk-based and by-design approach to data protection. Companies have to assess risks related to the management of personal data and implement appropriate technical and organizational measures to minimize them. Beyond this, they have to able to prove that they took the necessary steps that are appropriate to the risks.

This applies to any cloud provider that you consider using, too. Although the GDPR is a new regulation, there are further data protection guarantees you can look for. Look for other information security certifications or compliance standards like ISO, HIPAA. Check if third-party information security audits were performed.

Technology measures: encryption
Encryption at-rest
On request for businesses
Encryption in transit
End-to-end encryption for storage
End-to-end encryption for file sharing
Encryption keys controlled by the user
Only if using external encryption module
Partly / on request for enterprises
Partly / on request for enterprises
Provider never has access to the plain text content of user files

ebookGet the eBook to see full comparison

Learn more about GDPR and Encryption


Securing the cloud

Learn the main data protection principles and impacts of the GDPR from legal and technology experts.


5 key steps for law firms to GDPR compliance

Learn how to locate, identify, and protect personal data in your company before the GDPR deadline.


7 ways Tresorit helps with GDPR compliance

Learn how Tresorit can help avoid the most common data breaches