Table of contents
- Key Takeaways
- What Is GDPR Compliance (and What It Means in the Cloud)?
- The 7 GDPR Principles & Core Requirements
- GDPR in the Cloud: The Controller-Processor Shared Responsibility Model
- Data Residency, Sovereignty & Cross-Border Transfers
- Article 32: Security of Processing in the Cloud (Required Controls)
- Data Protection by Design and by Default
- GDPR Cloud Compliance Checklist (Step-by-Step)
- Roles & Governance: DPO, RoPA & Vendor Management
- Handling Data Breaches Under GDPR
- Maintaining GDPR Cloud Compliance with Orca
- Frequently Asked Questions about GDPR Cloud Compliance
Key Takeaways
- GDPR cloud compliance means protecting EU personal data in cloud services: knowing where it sits, who can reach it, whether it leaves the EEA, and whether Article 32 controls are in place.
- The cloud makes the hardest GDPR questions harder: where is the personal data, who has access, and can you delete it on request. You cannot protect or erase what you cannot find.
- Signing a data processing agreement with AWS, Azure, or Google does not make you compliant. The provider handles its processor obligations; you remain responsible for lawful basis, data location, access controls, and proof.
- GDPR fines can reach 20 million euros or 4% of global annual turnover. The largest penalty to date, 1.2 billion euros against Meta, centered on unlawful EU-US data transfers.
- Continuous proof beats point-in-time checks. Orca discovers and classifies personal data across multi-cloud agentlessly, shows where it lives, and maps exposure, encryption, and access gaps to Article 32.
GDPR cloud compliance is the practice of meeting the EU General Data Protection Regulation for personal data processed in cloud environments. It covers the seven data-protection principles, the controller-processor split, data residency and cross-border transfers, and the Article 32 security controls you need to prove.
The regulation follows EU residents’ personal data wherever it goes, including into a US company’s AWS account. The cloud makes compliance hard because personal data gets copied between regions, reached by roles nobody reviewed, and buried in storage no one inventoried.
This guide takes the security-engineering view, not the legal-program one. It defines GDPR briefly, maps cloud controls to Article 32, gives a step-by-step checklist, and shows how to prove compliance continuously rather than once a year.
What Is GDPR Compliance (and What It Means in the Cloud)?
GDPR compliance means processing the personal data of people in the EU and EEA in line with the regulation’s principles, lawful bases, and rights, and being able to demonstrate that you do. Personal data is any information relating to an identifiable person: a name, an email, an IP address, a device ID, a location trail. In the cloud, compliance adds a layer the law assumes but does not solve for you, which is knowing exactly where that data lives across your accounts and who or what can reach it.
The cloud shifts the problem from policy to inventory. A privacy policy and a lawful basis satisfy the paperwork. They do nothing for a copy of customer records replicated into a US region by a backup job, or a snapshot of a production database sitting unencrypted in a forgotten bucket. GDPR compliance in the cloud is therefore a data-discovery and access-control problem as much as a legal one, and it is continuous because cloud environments change daily.
Who Needs to Comply (and Why US Companies Do Too)
GDPR applies based on whose data you process, not where your company sits. Article 3 gives the regulation extraterritorial reach: if you offer goods or services to people in the EU, or monitor their behavior, you fall in scope even with no EU office and no EU servers. A US SaaS company with European users is bound by GDPR. So is a US retailer that ships to Germany or runs analytics on EU visitors.
This is why “we are a US company” is not a defense. A startup running entirely in us-east-1 still processes EU personal data the moment a European signs up. The cloud makes this easy to miss, because regional sprawl and global sign-up flows pull EU data into infrastructure that was never designed with EEA boundaries in mind.
Penalties for Non-Compliance (the 2% / 4% Tiers)
GDPR fines run in two tiers. The lower tier reaches 10 million euros or 2% of total worldwide annual turnover, whichever is higher, for administrative failures such as inadequate records or a missing data processing agreement. The higher tier reaches 20 million euros or 4% of worldwide annual turnover for breaching the core principles, data-subject rights, or the rules on international transfers.
These are not theoretical. Regulators issued a 1.2 billion euro fine against Meta in 2023 for transferring EU users’ data to the United States without adequate safeguards, the largest GDPR penalty to date. Cumulative GDPR fines have passed 6.3 billion euros since enforcement began in 2018. The pattern that matters for cloud teams is that the largest penalties cluster around data location and transfers, which is exactly the part the cloud complicates.
The 7 GDPR Principles & Core Requirements
GDPR is built on seven principles in Article 5 that govern every act of processing. They are the requirements everything else implements, and each one has a concrete cloud consequence:
- Lawfulness, fairness, and transparency. Have a valid legal basis for processing and tell people what you do with their data.
- Purpose limitation. Collect data for a stated purpose and do not quietly reuse it. A dataset gathered for billing should not feed an ML model without a fresh basis.
- Data minimization. Hold only the personal data you need. In the cloud this fights the default habit of copying full datasets into every analytics and dev environment.
- Accuracy. Keep personal data correct and let people fix it.
- Storage limitation. Delete data when its purpose ends. Cloud storage is cheap, so old personal data accumulates in snapshots, logs, and backups that no retention policy ever reaches.
- Integrity and confidentiality. Secure personal data against unauthorized access and loss. This principle is the doorway to Article 32 and the entire security-engineering scope of this guide.
- Accountability. Be able to demonstrate compliance with the other six. Article 5(2) makes proof an obligation, not a nicety, which is why continuous evidence matters.
The first six tell you how to handle data. Accountability tells you that intent is not enough. You need records, control mappings, and live evidence that the controls run, and you need them across every cloud account where personal data lands.
Data Subject Rights (Access, Rectification, Erasure, Portability) and Why They’re Hard in the Cloud
GDPR gives individuals enforceable rights over their data: access to a copy (Article 15), correction of errors (Article 16), erasure or the “right to be forgotten” (Article 17), and portability of their data to another provider (Article 20). On paper these are a workflow. In a multi-cloud estate they are a search problem.
Consider an erasure request. To honor it, you must find every copy of that person’s data: the production database, the read replica in another region, last week’s snapshot, the data lake export, the third-party analytics tool, the support-ticket attachment. Miss one and you have not complied. The technical blocker is rarely the delete command. It is locating the personal data in the first place, which is why discovery and classification sit underneath every data-subject right.
GDPR in the Cloud: The Controller-Processor Shared Responsibility Model
Under GDPR you are almost always the data controller, and your cloud provider is a data processor.
The controller decides why and how personal data is processed and carries the legal accountability.
The processor acts on the controller’s instructions. AWS, Azure, and Google Cloud are processors for the infrastructure they run.
They are not responsible for the personal data you choose to put there, who you grant access to, or whether you have a lawful basis. This is the shared responsibility model applied to privacy law.
Does your cloud provider make you GDPR compliant?
So is AWS GDPR compliant? The honest answer is that the question is framed wrong. AWS offers GDPR-relevant features, signs a data processing agreement under Article 28, holds certifications, and lets you pick EU regions. That covers their processor obligations. It says nothing about yours. The same is true for Azure and Google Cloud. A provider’s GDPR-readiness is a precondition you build on, not compliance you inherit.
The split lands in a clear line. The provider secures the physical data centers, the hypervisor, and the managed-service backbone. You own the data, the identity and access configuration, the encryption choices, the network exposure, and the regions you deploy into.
Every GDPR failure that produces a fine, an over-permissioned role reaching customer records, personal data copied to the wrong region, an unencrypted store, falls on your side of the line. Signing the DPA is the start of your obligations, not the end.
Data Residency, Sovereignty & Cross-Border Transfers
Data residency is the question of which geographic region your personal data physically sits in, and GDPR turns it into a compliance control. Personal data can move freely inside the EEA. The moment it leaves, to a US region, a support team in India, or a CDN edge node, GDPR Chapter V requires a legal transfer mechanism.
The cloud makes transfers happen silently through replication settings, global services that fail over across continents, and SaaS sub-processors with US infrastructure.
Legal mechanisms for GDPR cross-border transfers
The mechanisms that legalize a transfer are specific. An adequacy decision covers countries the European Commission deems to offer equivalent protection. For the US, the EU-US Data Privacy Framework provides adequacy for certified companies as of 2023, replacing the Privacy Shield struck down in 2020. Where no adequacy decision applies, you rely on Standard Contractual Clauses (SCCs) plus a transfer impact assessment.
The Schrems II ruling made SCCs alone insufficient; you must assess whether the destination country’s surveillance laws undermine them and add supplementary measures such as strong encryption.
The US CLOUD Act introduces a separate challenge. It lets US authorities compel US-based providers to hand over data they hold, regardless of which region it sits in. A dataset in an EU region of a US provider can still be reachable under US law, making data sovereignty more than a storage setting. The practical control is to know, continuously, which region every store of personal data lives in and which transfers are active, because multi-cloud data location drifts as the environment changes.
GDPR and Cloud Storage: Keeping Personal Data in Region
For cloud storage specifically, residency means pinning personal data to EEA regions and proving it stays there. Set region constraints on object storage, databases, and backups. Watch the silent leak paths: cross-region replication, snapshot copies, log aggregation that ships to a central US account, and managed services whose default region differs from your workload. A single backup policy can move a copy of EU personal data outside the EEA without anyone deciding to.
Article 32: Security of Processing in the Cloud (Required Controls)
Article 32 is where GDPR meets cloud security engineering. It requires controllers and processors to implement “appropriate technical and organisational measures” for the personal data they process, and it names the categories: pseudonymization and encryption, the confidentiality, integrity, availability, and resilience of processing systems, the ability to restore availability after an incident, and a process for testing the controls.
The article is deliberately outcome-based, which means you choose the controls and you prove they fit the risk. The following map Article 32 to the cloud controls that satisfy it.
Encryption & Pseudonymization of Personal Data
Encrypt personal data at rest and in transit, and pseudonymize it where the use case allows. Article 32 names both techniques explicitly, and Schrems II made strong encryption a core supplementary measure for transfers. In practice this means enabling encryption on every store that holds personal data, managing keys so the provider cannot trivially access plaintext where sovereignty matters, and enforcing TLS between services.
The common cloud failure is not absent encryption but inconsistent encryption: one database encrypted, its replica or snapshot not, or personal data moving unencrypted between two internal microservices.
Access Controls & Least Privilege to Personal Data
Restrict who and what can reach personal data, and grant the minimum access needed. Most cloud data exposure traces back to identity: an over-permissioned role, a service account with standing access to a customer-PII datastore, a stale human account never deprovisioned. GDPR’s confidentiality requirement maps directly to least privilege, and getting it right at cloud scale is an entitlement problem.
For the mechanics of right-sizing permissions across thousands of identities, see cloud infrastructure entitlement management. The control that matters for Article 32 is being able to answer exactly which identities can read it and why, for any store of personal data.
Resilience, Backup & Availability
Article 32 requires that personal data stay available and recoverable, not just confidential. Build redundancy and tested backups so an outage or ransomware event does not destroy personal data or block data-subject rights.
The cloud caveat is that backups are themselves personal data: they must be encrypted, access-controlled, region-pinned, and covered by retention rules. A backup that restores availability but sits unencrypted in the wrong region trades one Article 32 failure for another.
Logging, Monitoring & Audit Trails
Log access to personal data and monitor for anomalies, because you cannot prove confidentiality or detect a breach without a record of who touched what. Capture data-plane access to sensitive stores, not just control-plane API calls, and retain logs long enough to investigate.
These trails do double duty: they support breach detection under Article 33 and they form part of the accountability evidence under Article 5(2). The failure mode is logging everything except the data access that actually matters.
Discovering & Classifying Personal Data (PII) Across Multi-Cloud
Every control above assumes you know where the personal data is. In most cloud estates, you do not. Personal data spreads into managed databases, object storage, data warehouses, snapshots, and logs faster than any manual inventory can track. You cannot encrypt, restrict, or erase data you have not found, which makes discovery and classification the foundation Article 32 rests on.
This is the job of data security posture management: continuously locating personal data, classifying its sensitivity, and flagging the stores that are exposed, unencrypted, or over-shared.
Data Protection by Design and by Default
Article 25 requires you to build data protection into systems from the start and to make the privacy-protective option the default. By design means embedding controls into architecture rather than bolting them on: minimization, encryption, and access limits decided when a service is built, not after an auditor asks. By default means a new resource starts locked down, not open, so the safe configuration is the one a developer gets without acting.
In the cloud this becomes infrastructure policy. Enforce encrypted-by-default storage, private-by-default networking, and region constraints through guardrails in your IaC and cloud platform, so personal data cannot land in a non-compliant state in the first place.
Article 35 adds the Data Protection Impact Assessment, a required risk analysis before high-risk processing such as large-scale profiling. Run it before you deploy the workload, treat its findings as design inputs, and you turn a compliance document into an architecture decision.
GDPR Cloud Compliance Checklist (Step-by-Step)
Use this sequence to move from unknown to defensible. Each step builds on the one before, because you cannot secure or prove what you have not first found.
- Map your personal data. Discover and classify every store of personal data across all cloud accounts and regions. This inventory is the foundation for every other step.
- Establish lawful basis and purpose. Document why you process each category of personal data and on what legal ground.
- Record processing activities. Maintain the Article 30 record of what you process, why, where it lives, and who you share it with.
- Fix data residency. Pin personal data to EEA regions where required and identify every active cross-border transfer.
- Legalize transfers. Apply adequacy, SCCs, or the EU-US Data Privacy Framework to each transfer, with transfer impact assessments where Schrems II requires them.
- Apply Article 32 controls. Enforce encryption, least-privilege access, logging, and resilience on every store of personal data.
- Operationalize data-subject rights. Build workflows that can find and act on a person’s data across every system for access, rectification, erasure, and portability.
- Manage processors. Sign Article 28 data processing agreements with every cloud provider and sub-processor, and track the chain.
- Prepare breach response. Stand up detection and a 72-hour notification process before you need it.
- Prove it continuously. Replace annual point-in-time checks with live monitoring that surfaces drift the moment personal data becomes exposed, unencrypted, or wrongly located. The 2026 multi-cloud compliance checklist goes deeper on automating this last step.
Roles & Governance: DPO, RoPA & Vendor Management
GDPR assigns accountability to specific roles and records. A Data Protection Officer (DPO) is required when you carry out large-scale monitoring or process special-category data at scale, and the DPO oversees the program and liaises with regulators. The Record of Processing Activities (RoPA) under Article 30 is your living map of what personal data you hold, why, where, and with whom you share it. Treat the RoPA as the bridge between the legal program and the cloud reality: it is only accurate if your data inventory is.
Vendor management closes the loop. Every cloud provider and SaaS sub-processor that touches personal data needs an Article 28 data processing agreement, and you remain accountable for their compliance as a controller. Track the sub-processor chain, because a new sub-processor added by a vendor can create a transfer or an exposure you never approved.
This is the legal-program side of GDPR, and other frameworks such as PCI DSS in the cloud impose parallel vendor obligations worth aligning.
Handling Data Breaches Under GDPR
GDPR sets a hard clock on breaches. Article 33 requires notifying the relevant supervisory authority within 72 hours of becoming aware of a personal-data breach, unless the breach is unlikely to risk individuals’ rights. Article 34 adds that you must tell the affected individuals directly when the risk to them is high. The 72-hour window starts at awareness, which puts the pressure on detection: you cannot notify about an exposure you have not seen.
In the cloud, the breaches that trigger this are concrete. A public storage bucket holding customer records, an over-permissioned identity exfiltrating personal data, a leaked access key reaching a production database.
The 72-hour requirement makes detection and scoping a security-engineering problem, because the notification has to describe what data was involved and how many people. That answer depends on knowing what personal data sat in the exposed resource, which loops back to discovery and classification.
Maintaining GDPR Cloud Compliance with Orca
Continuous GDPR compliance means treating it as a live state of your cloud, not a yearly audit. Cloud environments change every day: new buckets, new roles, new regions, new copies of personal data. A point-in-time assessment is stale within a week, and accountability under Article 5(2) asks you to demonstrate control on any day, not just audit day. The job is to keep a current answer to where personal data lives, who can reach it, and whether its Article 32 controls hold.
This is the slice a security platform owns, and where Orca fits. The Orca Cloud Security Platform uses agentless SideScanning™ to inventory an entire multi-cloud estate without deploying agents, then finds and classifies personal data wherever it sits, in managed databases, object storage, warehouses, snapshots, and logs. You get a live map of which region each store of personal data lives in, which exposes residency and transfer risk directly. The platform flags the Article 32 gaps that produce fines: personal data that is unencrypted, internet-exposed, or reachable by an over-permissioned identity, and maps each finding to the obligation it breaks.
Context is what makes this useful rather than noisy. Orca traces attack paths to personal data, so a public workload chained through an over-privileged role to a customer-PII datastore surfaces as one prioritized risk, not three disconnected alerts. It prioritizes by exploitability and blast radius rather than raw severity, which means the personal-data exposure an attacker could actually reach rises to the top.
The result is continuous audit-readiness for the security-engineering side of GDPR: a current, evidence-backed view of cloud data security you can show an auditor instead of reconstructing it.
Compliance is never a product purchase, and Orca does not handle the legal or consent side. It handles the part you own: discovering, securing, and proving the controls around personal data. To see agentless personal-data discovery and Article 32 mapping on your own environment, get a demo.
Frequently Asked Questions about GDPR Cloud Compliance
The major providers offer GDPR-relevant features, sign Article 28 data processing agreements, hold certifications, and let you choose EU regions, which covers their obligations as processors. That does not make you compliant. You are the controller, responsible for lawful basis, where personal data sits, who can access it, encryption choices, and proving Article 32. Provider readiness is a foundation you build on, not compliance you inherit.
Personal data can move freely inside the EEA. Sending it outside requires a legal transfer mechanism: an adequacy decision, the EU-US Data Privacy Framework for certified US companies, or Standard Contractual Clauses with a transfer impact assessment. In the cloud, the practical task is knowing which region every store of personal data sits in and catching silent transfers through replication, backups, or sub-processors.
An erasure request under Article 17 requires you to delete every copy of a person’s data. The technical difficulty is not the delete command but finding all the copies: production databases, replicas, snapshots, data-lake exports, third-party tools, and logs. Honoring erasure at cloud scale depends on continuous data discovery and classification, because you cannot erase personal data you cannot locate.
No. GDPR does not require personal data to remain inside the EU or EEA. Data can be transferred internationally, provided an approved legal transfer mechanism is in place, such as an adequacy decision, the EU-US Data Privacy Framework for certified organizations, or Standard Contractual Clauses with any additional safeguards required by law. The practical challenge is knowing where personal data resides and ensuring transfers remain compliant as cloud environments change.
Fines run in two tiers. The lower tier reaches 10 million euros or 2% of global annual turnover for administrative failures. The higher tier reaches 20 million euros or 4% of global turnover for breaching core principles, data-subject rights, or transfer rules. The largest fine to date, 1.2 billion euros against Meta, concerned an unlawful transfer of EU data to the US, which is a cloud-shaped risk.
Table of contents
- Key Takeaways
- What Is GDPR Compliance (and What It Means in the Cloud)?
- The 7 GDPR Principles & Core Requirements
- GDPR in the Cloud: The Controller-Processor Shared Responsibility Model
- Data Residency, Sovereignty & Cross-Border Transfers
- Article 32: Security of Processing in the Cloud (Required Controls)
- Data Protection by Design and by Default
- GDPR Cloud Compliance Checklist (Step-by-Step)
- Roles & Governance: DPO, RoPA & Vendor Management
- Handling Data Breaches Under GDPR
- Maintaining GDPR Cloud Compliance with Orca
- Frequently Asked Questions about GDPR Cloud Compliance
