Implementing Cloud solutions in a GDPR-compliant manner

Digital services, data analysis and more customer orientation are some of the cornerstones on which companies are repositioning themselves when it comes to digitalization. It is therefore inevitable that sensitive data will also be digitally processed and stored. At the same time, ever more computing and storage capacity is moving to the cloud. Companies are faced with the challenge of reconciling the overdue modernization of their IT with the required protection of sensitive data. What they need is clear processes and legally compliant solutions for all systems that come into contact with personal data.

Contents

• Data processing locations
• Clouds in the EU
• GDPR and Multi-Cloud
• Advice on GDPR-compliant cloud use

The EU General Data Protection Regulation (GDPR) contains various requirements for data protection in the cloud that must be implemented when concluding a contract with your cloud service provider. This generally includes an order processing agreement as the legal basis for the transfer of personal data.

The GDPR also contains basic data protection principles (such as data minimization) and data subject rights (such as, above all, the right to information). When companies work with external service providers, hosters and different platforms, they must ensure data protection even in complex processing scenarios. After all, a data protection breach entails legal consequences such as high fines of up to 20 million euros or four percent of sales, or damages.

The GDPR’s different requirements mean that both server locations and company headquarters are of great importance, as companies are only entitled to export data to third countries that offer an “adequate level of protection” under certain conditions in accordance with the GDPR.

Against the backdrop of market domination by U.S. providers, companies must pay special attention when transferring data to recipients in the United States. The ECJ’s “Schrems II” ruling has declared the “Privacy Shield” agreement between the EU and the USA as invalid. At the same time, the ruling stipulates additional requirements for the use of standard contractual clauses. These requirements are currently part of a Transfer Impact Assessment that companies must perform in addition to concluding standard contractual clauses. Data transfers to U.S. locations are therefore subject to additional requirements.

Companies with a privacy-friendly cloud in the EU that is hosted by a European cloud provider and meets local data protection regulatory requirements stand to benefit twice over: they receive a scalable infrastructure with flexible billing, without having to worry about violations of the GDPR or access by foreign authorities. Companies that take data protection seriously should thus opt for locations and providers in the EU.

Protection against administrative powers

Privacy-friendly solutions in the EU can also protect companies against regulatory data access (FISA 702, CLOUD Act, and others). For example, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows U.S. investigative authorities to access certain types of customer data from U.S. providers. This includes locations outside the USA if the provider is subject to the CLOUD Act and the local requirements are met. With regard to the “data centers in the EU” argument, companies should therefore always ask themselves whether potential powers of access exist and whether they pose a risk.

A multi-cloud strategy enables the parallel use of cloud resources with different providers, which in turn facilitates differentiation between individual workloads and affected data. Depending on protection needs, this data can then be stored and processed on hyperscalers’ platforms or with an EU provider.

This gives companies access to the versatile development tools and interfaces of their respective providers while allowing them to process critical data according to the relevant compliance requirements. Provided there are no data transfers from the EU to third countries, this avoids the headaches involved with data export under data protection law, especially with regard to what the adequate level of protection is.

plusserver offers a broad portfolio of solutions with GDPR-compliant cloud usage scenarios and multi-cloud solutions. Simply get in touch with us. We look forward to providing you support with your privacy-compliant cloud strategy.