After the entry into force of GDPR in 2018, life-science research communities have had to deal with a brand-new regulatory framework, very restrictive in terms of cybersecurity and privacy measures to be implemented in case personal data (even if pseudonymized) are involved in the studies. In Italy, we have dealt with this new legal scenario creating EPIC Cloud (Enhanced PrIvacy and Compliance Cloud): a region of INFN Cloud with particular security measures in place. An important aspect this work is the construction of an Information Security Management System (ISMS) and its certification of conformance with the international standards ISO/IEC 27001 27017 27018. The adoption of an ISMS is important from the organizational perspective, in fact security measures must be integrated and coordinated to be effective. The certification of conformance is a mechanism which involves an independent third party (an accredited consulting firm) who verifies the status of the ISMS yearly. This is of paramount importance to guarantee users that the security measures are appropriate and actually applied. In this talk we’ll describe the technical and organizational measures adopted in EPIC Cloud and will discuss pain points and achieved results of our journey towards GDPR compliance. Furthermore, we'll describe how real life-science use cases, focusing on genomic and clinica data analysis, are managend in EPIC Cloud. In particular, we'll describe Health Big Data (a ten-year project founded by the Italian Health Ministry), Harmony Alliance (an European founded by the IMI2 Joint Undertaking) and other NRRP related initiatives involving EPIC Cloud.