Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Cloud Security 101: What are Safe Harbor and GDPR Regulations?


This is the fifth blog of a series that provides the basics of information security in the cloud. In this series, we will provide definitions and best practices for many of the elements that should be considered as part of a cloud security program. In addition to a blog, each topic will also have a short video, providing some additional information on the subject.  The previous blog and video discussed the topic: "What is Data Sovereignty?"  In this installment, we will be discussing the topic: "What are Safe Harbor and GDPR Regulations?"

 The Safe Harbor Principles and the General Data Protection Regulation (GDPR) are two of the many laws / regulations that are part of the data sovereignty discussion.ClouSec 101 Series.jpg  Specifically, the Safe Harbor Principles is an agreement between the European Union and the United States which allowed some US based companies to comply with EU Data Privacy Protection regulations.  The GDPR is a new regulation adopted by the European Commission that strengthens and unifies data protection standards for citizens of the EU.  

Some historical background: in July 2000, the United States and the European Commission agreed on what came to be known as the Safe Harbor Principles privacy regulations.  Then, in October 2015, those regulations were invalidated by the European Court of Justice, and required that US and the EU to come up with a new arrangement. In February 2016, they came to a tentative agreement (called the Privacy Shield), only to find out in April 2016 that the agreement still did not provide adequate privacy guarantees. Before the invalidation of the Safe Harbor Principles, the European Commission reviewed a draft of the GDPR in January 2012.  In April 2016, the EU Parliament adopted the regulation, and the regulation will take effect after a two year transition period. 

Those selecting a cloud infrastructure should research the latest updates on data sovereignty regulations, specifically to understand and evaluate the impact of these regulations on their cloud workloads and data.  Most cloud providers have the ability to move or segregate workloads based on data locality requirements – make certain that the contract and SLAs specify these types of requirements. 

Data sovereignty and privacy regulations differ significantly worldwide, and the regulations discussed binary-715813_960_720df.jpghere are just a single example of how privacy laws can potentially effect businesses with a global reach.  A recent study showed that there are at least 109 countries that have some kind of data privacy regulations, and that number continues to increase annually.  With the continued globalization of technological infrastructure and the expansion of cloud related services to on traditional technological hubs, understanding these types of data regulations can potentially decrease a company’s liability and compliance costs and allow a company to evaluate the risks of implementing a cloud solution subject to these types of regulations.

For the next blog in this series, we will discuss the cloud security topic: "What is Identity Management?" To learn more about hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security. To find the additional parts, please search for Cloud Security 101.

Download the whitepaper

Blog-600x200.pngDownload the Whitepaper


0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.