The Forthcoming General Data Protection Regulation in the EU: Higher Compliance Costs Might Slow Down Small and Medium-sized Enterprises’ Adoption of Infrastructure as a Service
Keywords:Cloud computing, IaaS, SME, data protection, IT outsourcing, GDPR, transaction cost
Cloud-based services (especially IaaS) are widely used by businesses, including small and medium-sized enterprises. The recently adopted General Data Protection Regulation is going to influence the EU cloud computing market significantly, and SMEs using IaaS to process personal data of their clients face a need to adapt to those changes if they are to remain compliant with the data protection rules. The objective with the paper was to look into the regulation adopted and identify the aspects that significantly influence the relations between a cloud provider and a client, especially if seen from the perspective of SMEs. Further, the paper discusses whether IaaS will be an obvious choice for SMEs seeking to hire computer infrastructure resources for the purpose of processing personal data when the compliance efforts necessary after the General Data Protection Regulation comes into force are taken into account. The findings suggest that forthcoming changes could significantly affect the industry and, in light of the likely increase in transaction costs, that SMEs may want to consider traditional outsourcing services instead. Consequently, the results of the data protection reform would be contradictory to other objectives of the European Commission, especially that of wider adoption of cloud services by SMEs.