Alice in the Cloud-Land

Q: Does the GDPR apply to small businesses?

Yes - the GDPR applies universally to any organisation processing personal data of EU residents, regardless of size. Small businesses benefit from limited exemptions (e.g., no obligation to maintain a record of processing activities if fewer than 250 employees and processing is low-risk), but must still uphold all core GDPR principles.

The cloud tempts with its simplicity, effortless implementation, and maximum scalability. Providers also tout the opportunity to reduce IT investment costs – freeing up capital to flow into core business value creation. But caution is warranted!

It’s all too easy to violate data subjects’ rights under the GDPR – and find yourself facing the Red Queen herself, literally serving you with legal process. Like Alice in Wonderland, cloud users may find personal data protection just as magical – and at times, equally obscure – as that fantastical tale.

The Stolen Cakes

For data subjects, personal data is often just as valuable as the stolen cakes are to the Red Queen. So how can such data go missing – especially when cloud providers proudly advertise exemplary compliance and strict adherence to the GDPR? The scientific service of the German Bundestag spells out this dilemma with striking clarity in its briefing paper “GDPR and the Use of U.S. Cloud Services”

Don’t let anyone steal your cakes – ahem, your personal data. Here’s what you need to know. Source: Adobe Stock / Olyina

As the title itself hints, the core risk lies in unauthorized disclosure of personal data due to access by U.S. security authorities under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Crucially, corporate affiliations mean that even if a cloud provider’s servers are physically located within the European Economic Area (EEA), no guarantee of access security can be assumed. Compounding the problem: in cases of GDPR violations – particularly those arising from CLOUD Act-based access – data subjects have no legal recourse available to them.

A further complication may arise from intensified efforts to regulate web content. Cloud storage systems are already scanned for criminally relevant material – for example, using the fundamentally legitimate goal of protecting children. Yet even today, controllers struggle to assess precisely how far such data access extends – or how their data is processed. Further expansion of online searches conducted by private cloud providers could pose risks beyond personal data protection – especially if business-critical data is affected.

The Mad Hatter Invites You to Tea

Amidst all the requirements and promises, it’s often difficult to keep track – and to judge which measures are truly needed to ensure lawful data processing. Since U.S.-based cloud providers are considered to involve a transfer of data to the United States (an “insecure third country”), any data processing must comply with Article 44 of the GDPR. But ever since the Court of Justice of the European Union’s (CJEU) Schrems II ruling – which invalidated reliance on the European Commission’s adequacy decisions for data transfers – you may sometimes feel like you’re once again denied the promised cup of tea.

Legitimate legal bases under the GDPR remain contracts with companies that demonstrate GDPR-compliant processing via BCRs (Approved Binding Corporate Rules), or the adoption of the new SCCs (EU Standard Contractual Clauses). Even then, however, additional safeguards must be implemented to protect personal data. The objective: ensuring an appropriate level of protection against access by U.S. security authorities.

Out of the Labyrinth

Just as the Cheshire Cat shows Alice the way, Article 32(1)(a) of the GDPR recommends pseudonymisation and encryption as suitable technical measures to meet these requirements. In its “Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 2.0”, the European Data Protection Board (EDPB) specifies that personal data must be encrypted before transmission, and that the encryption key must not be known to the cloud provider.

TeleTrusT’s Cloud Security Guide offers a concise, practical overview of security measures for safe cloud application use. Under the heading “Integrated Encryption”, it explains and compares common terminology.

There are various approaches to data encryption – each with its own advantages and drawbacks. Source: Adobe Stock / Dario Lo Presti

Many providers have implemented BYOK (Bring Your Own Key) solutions, where the encryption key is transferred into the cloud provider’s infrastructure – making it “technically” known to them. This enables automated key management (Service-Managed Keys), controlled entirely by the cloud provider.
While this delivers strong cybersecurity protection, it fails to satisfy GDPR’s legal requirements for data protection!

Instead, ensure your cloud solution supports HYOK (Hold Your Own Key) – a model requiring two keys: one held exclusively by the customer, without which data cannot be decrypted; and a second key embedded in the cloud provider’s infrastructure to enable key management within the cloud. This approach preserves essential IT security functions – like automated key rotation – that would otherwise break down (or incur significantly higher administrative overhead) under a pure HYOK setup.

These recommended solutions apply equally to smaller-scale deployments. Even using Google Drive, OneDrive, or Dropbox without additional safeguards constitutes a GDPR compliance issue. Tools like Cryptomator enable GDPR-compliant data storage – even for private users. The principle is simple: create an encrypted folder on Dropbox using Cryptomator, then securely store files inside it. This preserves cloud applications’ native sync capabilities while fully meeting data protection requirements.

With solutions like these, you’ll ensure no one steals your precious cakes – i.e., your personal data. We’d be delighted to advise you on your individual cloud configuration to guarantee both flawless data protection and high IT security.

Feel free to reach out!

Many questions, but no answers? Our experts at msecure are ready to help with all your questions about data protection and IT security, tailored to your specific cloud setup. Learn more here!

Key Facts

GDPR implementation: Only 28 percent of German companies consider themselves fully GDPR-compliant.

Highest single fine: €1.2 billion against Meta (2023) – the largest GDPR penalty to date.

Frequently Asked Questions

What penalties apply for GDPR violations?

Fines of up to €20 million – or 4 percent of global annual turnover – whichever is higher. In addition, affected individuals may file claims for damages.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a systematic evaluation of the risks a data processing operation poses to the rights and freedoms of data subjects. It is mandatory whenever processing is likely to result in a high risk – for instance, in cases involving profiling, video surveillance, or processing of special categories of personal data.

Does the GDPR apply to small businesses?

Yes – the GDPR applies universally to any organisation processing personal data of EU residents, regardless of size. Small businesses benefit from limited exemptions (e.g., no obligation to maintain a record of processing activities if fewer than 250 employees and processing is low-risk), but must still uphold all core GDPR principles.

TL;DR

In the briefing paper “GDPR and the Use of U.S. Cloud Services” Don’t let anyone steal your cakes – ahem, your personal data …
The EDPB (European Data Protection Board) states in its “Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 2.0” that personal data must be …
There are various approaches to data encryption – each with its own advantages and drawbacks.
Providers also promote the opportunity to reduce IT investment costs – and redirect those funds into the company’s value-creation areas.

Print article