Where are you storing your data and is your storage method GDPR compliant?

Industry views

It is now less than four months until the GDPR comes into force fully and, whatever your starting position, it takes time to make the business changes needed to become compliant. The regulation places accountability on organisations to understand the data they hold, where it is stored, and to safeguard it appropriately. Where you choose to store your personal data will play a large part in how secure it is. Data can either be stored on premises or in the cloud (public or private), with many organisations choosing to utilise a hybrid approach of the two. When considering how your organisation should be storing its data, you’re likely to be thinking about cost (any investment decisions you have made already), day-to-day business needs, ease of management and of course, security. For different types of data, the importance of each factor may vary making this a complex decision.

With that in mind, our team of IT security specialists have provided some guidance on the pros and cons of each method, particularly in view of GDPR.


On-premises servers and manual filing
Most businesses use some form of on-premises data storage whether it be a manual filing system or locally saved files.


  • Fast access to files.
  • Perceived end to end control over the security and management of your company’s data.



  • If your organisation is still using a manual filing system, you’ll know that it is difficult to keep track of and takes up a lot of space. GDPR requires you to have granular knowledge of the personal data you hold and why you are holding it, and document this policy, destroying any identifiable personal data you no longer have a legal or contractual obligation to hold. This is no mean feat with this type of storage.
  • Storing files locally on a device – server or PC – means that you may be at risk of losing the data if the device is lost, broken or damaged, depending on the additional security measures in place and business continuity planning. GDPR imposes significantly higher fines and sanctions for lost personal data that cannot be recovered or protected.


Cloud-based storage
Storing data in the cloud, so that the physical data is stored externally, and accessed from your device via the internet, can be private (your service is hosted in your IT provider’s datacentre facility) or public (such as Office 365, DropBox, where the service is hosted by a third party).


  • The risk of data loss is inherently reduced as data is less reliant on a single hardware device, and will therefore more easily recoverable if a device is lost, stolen or damaged.
    The storage platform itself is no longer owned by your business, which means the management and maintenance of a hardware platform is a third party’s responsibility. This typically results in reduced capital investment and a more predictable costing structure.
    You should be able to receive assurance that the datacentre you are storing your data in is highly secure and regular back-ups are in place, meaning your data is likely to be adequately safeguarded, which is really important when it comes to GDPR compliance.
  • Data stored in the cloud can more easily be accessed from any location making Cloud storage a flexible option, particularly useful if you want to enable your staff to work from different locations or in the event of commuters facing travel challenges.



  • If you are using a Cloud service provided by a third party, this will mean that the security of your data is in their hands, so it’s important to do your homework. GDPR places accountability on you to ensure your data is secured appropriately, even if a third party is responsible. Industry best practice standards, such as ISO 27001 and Cyber Essentials Plus, are recommended as part of due diligence.


Our guidance
The storage option you choose will be dependent upon your specific business and industry requirements and the type of data you typically process and store. The Cloud offers an increasing number of benefits in terms of data security and availability, as well as being, as well as opening up additional business opportunities.

If you are still storing a large amount of data on premises, we recommend you conduct a risk analysis to understand where your vulnerabilities may lie with regard to GDPR, as the responsibility to have adequate measures in place to protect this data will be on you.

If you are already storing the majority of your data in the Cloud, it is important that you vet your cloud supplier to ensure that they can give you the assurance you need from them when it comes to GDPR. You will need to review your agreement with them to verify, for example, where your data is located, that you are happy with the backup procedure in place, how breach reporting would be dealt with and under what circumstances they would seek your consent about the processing of your data.


Contact us for: IT Security, Cloud Services, Infrastructure Consultancy, IT Management & Support

For more of our industry news and updates, follow us on: LinkedIn and Twitter