AGORA Press Group and cloud☁mania – knowledge platform for Cloud & Business Transformation, announces the publication of the GDPR Ready Catalogue – the first editorial project in Romania dedicated to service and solutions offerings to ensure compliance with the GDPR provisions. The GDPR Ready catalogue is part of the 7th edition of the Catalog of Cloud Computing Romania guides and is an essential component of the “GDPR Ready!” Initiative. 

Click the cover to see it online!


Since May 2016, when the European Parliament approved EU Regulation 2016-679, GDPR became the keyword in all business, technological and social environments. The new Regulation is the most important change to the legislation on personal data protection in the EU and globally. 2018 will be a year of much agitation, with major implications not only for the IT area but also for governmental organizations and data operators in any industry. For, after all, we are all data processors, and we will all be subject to the same rules.

Although it is technologically advanced, the IT industry is one of the areas where compliance with the new regulation can raise the biggest problems. The vast majority of companies are aware of the strategic importance of alignment with GDPR provisions, but very few are really prepared to act. What do Cloud providers do to provide GDPR compliant services? But data centre operators? But eCommerce companies and online payment processors? But distribution companies, reseller channels and IT retailers? But software houses and call-centre service providers, consulting, training and maintenance? Of course, there are many things common to all of these IT domains, but also a multitude of particular aspects.

Quick Guide

This was the reason we decided the 7th Edition of the Cloud Computing Romania Catalogue should be dedicated to GDPR. Starting from the knowledge and coordination gap in the IT industry, we felt the need to edit a GDPR Ready Catalog that would serve and provide general recommendations for data operators in any industry. The GDPR Ready Catalog is structured in two parts:

  • Quick Guide
  • GDPR Compliance and Service Recommendations Catalog.

The “Quick Guide” contains 60 questions and responses structured so as to provide an overview of the main changes introduced by the Regulation as well as the critical areas that we need to know when preparing compliance. It also comes with a series of recommendations from international experts, governmental and professional associations, and analysis & research firms. The main chapters covered by the compliance questions series relate to:

  • The Importance of GDPR
  • Brief history of personal data protection
  • GDPR Principles
  • Rights of the data subjects
  • Personal data protection
  • Impact assessment
  • International data transfer
  • Ensuring compliance
  • Notification of security breaches and penalties.

The guide is accompanied by the recommendations of experts who have referred to the main directions for Cloud providers: Bart von Buitenen – managing partner White Wire, Ian MoyseIan Moyse, Sales Director Natterbox,  Cloud Industry Forum, Lucia Ştefan – Archiva consultant manager Ltd (UK) and Attle Skjekkeland – Vice President AIIM Europe, as well as the recommendations of the National Supervisory Authority for Personal Data Processing (ANSPDCP), CERT.RO, ANSII + some of its members and IDC Romania.

GDPR Compliance Conformance Guidelines

The second section is the GDPR Compliance Conformance Guidelines offered by vendors, integrators and resellers of information security solutions and services, service packs provided by law firms, consulting companies, and training and certification firms. We thank the partners from ALEF Distribution, Archiva Ltd., ASBIS, AxelSoft, Commvault, Info World, IXIA, Omega Trust, Providence, Relational, Romsym Data, RQM Certification, Star Storage, Tryamm and Zitec for participating with us at this project.

GDPR Ready Initiative

Publication of the GDPR Catalog is part of the GDPR Ready Initiative, which brings together a wide variety of projects and activities designed to help data operators and processors in Romania:

  • GDPR Explicit Articles – 15 articles published on the cloud☁mania website
  • Quick Guideline in the GDPR Catalog
  • Brochures and eBooks
  • Market studies and analyzes
  • Media Partnerships
  • Organizing GDPR Events
  • Moderate GDPR panels
  • Training sessions
  • Recommendations and advice to IT companies

The GDPR says that organizations must be in compliance as early as May 25, 2018. If you think that until then there is enough time for you to start implementing the necessary measures to ensure GDPR compliance, you have to keep in mind that the average duration of a trial may be FOUR – FIVE months, depending on the size of the organization and the type of processed personal data.


There are 209 days left!


What cloud providers need to focus on for GDPR compliance


Bart van BUITENEN – GDPR, DPO, data protection, CISO, ISO27k – is managing partner of White Wire. Bart is very active in the fascinating world of data protection and privacy, specialized in guiding GDPR implementation projects, GDPR audits, DPIAs, ISO27001 implementations and all things data protection and privacy. White Wire is a boutique consultancy firm specialized in assisting healthcare organizations, SMEs and technology firms all over the EU with their data protection needs.



If you are a cloud provider, whether or not based in the EU, it is very likely you are processing personal data on European soil or concerning EU-based persons which means the GDPR applies to you. There is even a specific term to indicate a provider that processes personal data on behalf of an organization: the processor.

A lot of the focus has been put on the role of the ‘controller’, the organization responsible for determining the means and purposes for processing, and not enough emphasis is put on the role of the processor. And yet the GDPR changes many things for processors compared to previous data protection legislation, for example with regards to liability, responsibility and several new obligations. Below you will find what I believe to be the most important aspects for cloud providers (assuming they are indeed processors) to work on for GDPR compliance by the 25th of May 2018.

1 Data processing agreements

Controllers provide specific instructions to processors, and such instructions need to be documented in so-called “data processing agreements”. Such agreements are not new: they were also required under the previous European data protection legislation (Directive 95/46, and consequently the applicable member state law) but in practice correct and complete processing agreements are rare finds indeed.

Most organizations were not aware of the requirement for processing agreements, and for cloud providers, this usually meant more work and responsibilities while getting little in return. This has changed in the GDPR: article 28 specifically mentions data processing agreements and details what they should include. Unlike before, cloud providers now have a clear incentive to create processing agreements: the agreement should include the instructions for the cloud provider, and as such will become a very important part in determining liability. (Art. 82(2)).


  • be proactive, don’t wait for the controller to mention the agreement first! This way you have an opportunity to propose your own template and at the same time show to your client that you are on top of this GDPR thing.

2 Subcontractors

Data processing agreements need to be in place for your clients, but cloud providers will often have their own subcontractors. In the world of IT, the use of subcontractors is prevalent and many subcontractors will indeed be processors for the cloud provider. From the perspective of the clients using the cloud (the controllers), these subcontractors are then sub-processors. A cloud provider needs to ask the permission of the controller to use sub-processors, something that should be addressed in your processing agreement (see section 1.). Working with sub-processors can be handled in a generic permission or a specific permission per sub-processor. The processor remains liable, so rock-solid agreements with sub-processors should be high on any cloud provider’s list.


  • Asking specific permission can be a hassle, ask for a generic permission and offer clients the opportunity to consult (and object to) a complete list of sub-processors at any time, e.g. by providing that list on a specific web page on your site.

3 Record of processing activities

Every controller should maintain a record of processing activities: a tool or document that details the different personal data processing activities within the organization. A lighter version also needs to be maintained by the processor and should involve all the processing activities carried out for its clients.


  • Creating such a record or processing activities will provide valuable insight in finding which data you process and should be one of the first actions in a GDPR implementation plan.
  • Organizations sometimes lose themselves in the details, keep in mind GDPR does not require you to map every single data field, and it’s about processing activities which often map very closely with the services being offered to clients.
  • Don’t keep a register per client, just make sure you can link clients to processing activities by including the services you offer per client in your CRM or client database.

4 Transfers outside the EU

When EU personal data is transferred to countries outside the EU, it is important that the data receives the same protections and safeguards as within EU borders. To ensure this, the GDPR includes several mechanisms that make this possible, of which the most prevalent ones are:

  • Adequacy decisions: when the EU has determined that a country outside the EU (or a specific agreement with such a country, e.g. Privacy Shield with the US) offers adequate protection it will take an adequacy decision. Link to current adequacy decisions:
  • Binding Corporate Rules (BCR): many multinationals will have establishments in countries outside the EU. BCR document which measures an organization takes to ensure that a transfer of personal data outside the EU, but within the same organization, still offers adequate protection. Data Protection Authorities need to validate BCR before they can be applied
  • Standard Contractual Clauses (SCC): template contracts, validated by the European Commission, that once again contain safeguards that should guarantee adequate protection when personal data are transferred outside the EU. Link to SCC:


  • Privacy Shield and SCC are under scrutiny and may well be invalidated in the not too distant future. If at all possible, keep data within the EU.

5 Information Security vs data protection

Information security and the protection are not the same. Information security concerns all information, which includes personal data. Data protection concerns all aspects regarding the processing of personal data, which includes securing the information. So there is a clear overlap, but also a significant difference.

That being said, securing the information against unauthorized access, loss or destruction is a very important aspect within GDPR. In short, this aspect of the GDPR can be summarized as maintaining the confidentiality, integrity and availability (also known as CIA) of personal data that a cloud provider processes. Keep in mind that any violation of these CIA principles (e.g. data breaches) will need to result in a notification to the controller, who in turn may need to notify data protection authorities and data subjects if the potential risks of the breach are high enough.


  • Align GDPR initiatives to information security governance. For example, the ISO27001 norm can be combined with data protection principles to provide a framework that addresses both information security and data protection.
  • Think about and document a notification procedure BEFORE you actually need it.
  • Review your need to apply a data protection officer (DPO). Even when clients individually don’t need to appoint one, a cloud provider may still need to appoint one.

6 Obligation to assist and notify

Processors are obliged to assist or notify controllers when they have information that a controller needs to fulfil GDPR requirements, such as performing DPIA’s or the before mentioned data breach notifications.


  • Document (e.g. in the processing agreement or another contract) how the assistance should take place: how should a request be made, within what timeframe will the cloud provider respond, are there any costs associated with the assistance…?

7 Every processor is also a controller

Keep in mind, it is extremely likely that cloud providers are controllers in their own right. Processes in departments such as HR, Suppliers, Clients all include the processing of personal data and will need to follow GDPR principles.


  • Keep separate records of processing activities (see section 3) for controller and processor activities.

Romanian version of this article is part of first GDPR Ready catalogue published in Romania in October 2017. You can view the online version of the catalogue HERE. GDPR Ready Catalogue, pag. 50-53, Agora Group & cloud☁mania, Bucharest, October 2017,


%d bloggers like this: