by 
Many cloud service providers are based outside of Europe and there is a fear that they won’t solve for GDPR. There is a myth that if they are not compliant it won’t harm your business. This is untrue.
Article 28 of the GDPR states:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
You are the controller asking a cloud service provider to process your personal data. Whether that’s because the tool provides you with a CRM, CMS, reporting tool or any other application.
Most cloud service providers are ready (or are getting ready as we type) and you can already see how they comply by visiting their privacy notice on their respective website. It’s time for you to check whether yours are doing this.
If you find that your cloud service provider is not GDPR ready, then ask them about it now and be prepared to find another solution before the grace period is over.