GDPR & Co. – what requirements must a cloud provider meet?
When it comes to data protection, blind trust is the wrong approach
A guest comment by Claudia Frese*
providers on the matter
Today, using the cloud is almost as natural as plugging in electricity. At the same time, virtual infrastructure is abstract for many, so there is a strong desire for reliable data security and the greatest possible data protection.
Research such as Bitkom’s Cloud Monitor 2021 shows that when choosing a service provider, GDPR compliance is the most important criterion for the vast majority of surveyed companies. Many also want a data center located within the EU legal area. The reason for this is quickly identified: Most organizations fear unauthorized access to sensitive corporate data. Others are reluctant to outsource parts of their cloud infrastructure due to unclear legal status. After all, legally flawless transmission of data to service providers outside the EU – for example in the USA – is currently not possible.
The fact is: Cyber attacks against companies are a big risk today, so the issue of security is more important to them than ever. Good cloud providers implement many security measures in the background, such as physical and logical separation, encryption, change management, backup, and business continuity, and carefully monitor cyber activities, technical failures, or misconfigurations in their best interests.
When it comes to data protection, however, the situation for companies using the services is a little more difficult: storing personal data in the cloud generally poses a problem if the providers’ servers are located in countries with less strict guidelines. In the US and China, for example, authorities and intelligence agencies can access data stored there. Since many customers are at least vaguely aware of this compliance dilemma, US providers now store European customers’ data within the EU.
In case of doubt, however, this still does not bring absolute legal certainty, because the domicile of a provider is also a decisive factor for compliance with data protection regulations: companies based in the USA are obliged, at the request of government authorities, sometimes even and without a court order, to provide data – including personal data. A server location in Germany or the EU does not change this. such an approach is purely cosmetic.
In order to ensure legal security, you should put an independent encryption of the data before actually using the cloud. And even then it is not yet clear whether it is really sufficient. In any case, the European Court of Justice (ECJ) has finally struck down a long-sought agreement on how to handle data transfers in the US, for example – keyword “EU-US Privacy Shield”.
A European cloud provider with a data center within the EU is currently the best option. It must comply with the strict requirements of the GDPR and, in the field of electronic communication, with those of the so-called ePrivacy Directive, which will be replaced in the future by the ePrivacy Regulation and which in Germany already the new Telecommunications Data Protection Act -Gesetz (TTDSG) has been incorporated into German law.
Regardless, customers should be aware of hidden backdoors when choosing the right provider: does the cloud host maintain its own data centers or use other colocation providers? Only a provider that discloses this is GDPR compliant. If other platforms are involved, transparency in the actual data management is also essential.
However, cooperation with third-party providers must also be precisely regulated. Since many providers receive services from partners – for example for data management or backup – there is a risk that personal information will fall into unauthorized hands or security certificates will become invalid because the auditor cannot monitor the subcontractor’s services. The attitude “where there is no plaintiff, there is no judge” ends at the latest when the competent supervisory authority or the prosecutor’s office initiates an investigation.
Additionally, companies should not fall into the delusion that they can shift the entire responsibility by outsourcing to a provider. As the owner of personal data, the respective company is still responsible for meeting security and compliance requirements. The C5 list of criteria for minimum requirements for secure cloud computing from the Federal Information Security Service (BSI) requires “shared responsibility”: The list of criteria contains extensive requirements for the cloud provider, for example in terms of query management. At the same time, however, BSI also holds cloud customers accountable through their respective audits. This means that users of such services must independently check whether their provider complies with all data protection regulations.
Companies should be able to expect their provider to be open-handed in terms of storage location and applied data security standards. After all, it is a valuable asset entrusted to it – sensitive data, often customer data, which must be protected accordingly. Therefore, blind trust in cloud providers and other external partners is misplaced.
* Author Claudia Frese is managing director of Strato AG in Berlin.