GDPR Cloud Migration: 12-Point Checklist

ยท Category: GDPR
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

  • Three phases: pre-migration (1-4), migration (5-8), post-migration (9-12)
  • Pre-migration core: provider comparison, DPA negotiation, TIA, DPIA
  • Migration core: data flow mapping, encryption, audit logging, customer-lockbox setup
  • Post-migration core: employee training, privacy notice update, breach workflow with cloud escalation, exit plan
  • Exit plan is the most often forgotten โ€” document data formats, restore window and deletion confirmation

1. Pre-migration (steps 1-4)

  1. Provider comparison including DPF status and EU-region availability.
  2. DPA negotiation with mandatory clauses (sub-processor list, audit rights, breach notification windows).
  3. Transfer Impact Assessment (TIA) for any third-country component.
  4. Data Protection Impact Assessment (DPIA) for high-risk processing moving to the cloud.

2. Migration (steps 5-8)

  1. Data-flow mapping and records-of-processing update.
  2. Encryption at rest and in transit, with documented key management.
  3. Customer-lockbox or equivalent provider-access controls activated.
  4. Audit logging enabled, retention period set in line with retention concept.

3. Post-migration (steps 9-12)

  1. Employee training on the new platform's privacy controls.
  2. Privacy notice updated with new processor and data location.
  3. Breach workflow updated with cloud-specific escalation paths.
  4. Exit plan documented: data return format, restore window, deletion confirmation.

4. Provider comparison

RegionProviderNote
EUIONOS Cloud, StackIT, OVHcloud, HetznerEU-only, no DPF dependency
US (with EU region)AWS Frankfurt, Azure with EU Data Boundary, GCP EU regionsDPF-certified; TIA still recommended

5. Exit plan in detail

An exit plan must specify the data export format (open-source preferred: Parquet, JSON, CSV), the restore window (90 days is standard practice), and the formal deletion confirmation that must be provided by the provider. Without these clauses, recovery from a forced provider change becomes painful and slow.

Summary

Cloud migration adds four GDPR risk categories: contract gaps, transfer issues, configuration drift and lock-in. The 12-point checklist closes each at the right phase. Treat the exit plan as a first-class deliverable โ€” it is the deliverable most often skipped and the one with the highest cost when it's missing.

View GDPR Kit โ†’

Frequently Asked Questions

Which cloud provider is suitable for SMEs?
For sensitive data: StackIT/IONOS (Germany). For standard use: Microsoft 365 with the EU data boundary.
What if the Data Privacy Framework collapses?
Trigger the exit plan. Migration to an EU alternative takes 2-6 months.

Related Articles