Certifications for Proving GDPR Compliance
Although the use of cloud services promises many economic benefits, potential cloud users often have limited trust in the services offered because of privacy and data security concerns. Particularly in the case of highly complex technologies such as cloud computing, which are offered in different service and delivery models, a company that wants to outsource its data processing “to the cloud” as part of processing will hardly be able to independently assess whether a cloud provider offers the “sufficient guarantees” required by Art. 28 (1) GDPR - that is, that appropriate technical and organizational measures are in place in such a manner that processing will meet the requirements of the General Data Protection Regulation (GDPR). Cloud users also lack the means for monitoring whether a cloud service continuously meets these legal requirements.
A common strategy to reduce users’ security, privacy, and reliability uncertainty and to signal trustworthiness and adequate risk prevention is the adoption of certifications, which is particularly important for small- and medium-sized cloud service providers. Certifications offer multifarious advantages for all stakeholders involved. By providing information about the privacy and security of a cloud service, certifications increase transparency and reduce concerns of cloud users. In addition, cloud users can prove to their customers that they are using a compliant cloud service. Cloud providers also achieve benefits such as receiving expert feedback on their cloud service and increasing trustworthiness. In this manner, certified cloud providers can achieve competitive advantages over other cloud providers.
For the first time, the GDPR lays down the foundations for the development of technology-specific data protection certification to prove GDPR compliance in Art. 42. However, despite the many advantages and the great importance of certifications, the GDPR does not contain any criteria against which the compliance of data processing operations with data protection requirements can be assessed. This is where the research project “European Cloud Service Data Protection Certification (AUDITOR)”, funded by the German Federal Ministry of Economic Affairs and Energy (BMWi), comes in. The research project is led by Prof. Ali Sunyaev (Karlsruhe Institute of Technology; KIT) and involves many project partners from industry and research. The aim is to design, implement, and test a sustainable European data protection certification approach for cloud services.
“The goal of the AUDITOR project is to improve the comparability of cloud services which are offered by companies located in different EU member states, and in this way to create transparency. This is above all beneficial for SMEs, but also for large companies, because new market potential can be opened up on the basis of an enduringly applicable EU-wide data protection certification for cloud services in accordance with the GDPR. Our work on further developing and substantially improving the certification of cloud services is in the interests of all players in the market,” according to Prof. Dr. Ali Sunyaev, KIT.
European Cloud Service Data Protection Certification
Within the AUDITOR project, a criteria catalogue was developed which, together with the certification scheme, forms the basis for the data protection certification. The AUDITOR criteria catalogue translates the technology-neutral regulations of the GDPR into verifiable, normative criteria that a cloud provider must fulfil. The criteria
catalogue is aimed at cloud providers, regardless of their respective service or deployment model, such as Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service. The criteria catalog focuses on the criteria that the cloud provider must meet in its role as a processor of data processing operations. In addition to its role as a processor, the cloud provider always processes personal data of the cloud user in order to be able to provide the desired cloud service. This includes contact and payment data of the cloud user (e.g. names, addresses, bank information) and usage data (e.g. user names, IP addresses, log data). The core elements of the criteria catalog are the normative criteria which have been developed from the relevant requirements of the GDPR for processing. For each certification criterion, legal explanations and information are given on how the cloud provider can implement the criteria and demonstrate their compliance in the certification procedure. Thematically related criteria are organized into individual chapters.
Pursuant to Art. 43 (1) (1) GDPR, certification bodies may issue certifications alongside data protection authorities. However, a certification body may only commence its activities if it has been accredited by a relevant national accreditation body (in Germany, the Deutsche Akkreditierungsstelle; DAkkS) in cooperation with the competent supervisory authority. The prerequisite for accreditation is being in compliance with the requirements under Art. 43 (2) GDPR and the supplementary requirements for accreditation under Art. 43 (3) GDPR proposed by the German Data Protection Conference in conjunction with DIN EN ISO/IEC 17065. The accreditation is based on a conformity assessment program, which must be developed individually for each certification. The conformity assessment program describes the specific requirements, rules, and test procedures for performing certification assessments in order to ensure that the certification results are comparable and conducted in a systematic manner. The AUDITOR conformity assessment program will be administered and further developed in the future by the Competence Network Trusted Cloud e.V. as program owner. It will be made available to interested certification bodies for non-discriminatory measures to ensure a broad application of the AUDITOR certification.
Art. 42 and 43 GDPR have laid the foundation for certification under data protection law. By means of certification, cloud providers can prove that their data processing operations are following the requirements of the GDPR.
Certification can thus contribute to transparency and confidence building in the cloud services market. Accreditation of certification bodies creates further trust and comparability between certification procedures. In order to test the AUDITOR certification procedure, several pilot certifications with cloud providers were carried out within the AUDITOR project and the results underline the high maturity of the AUDITOR certification. The AUDITOR certification program was submitted for review by the DAkkS and supervisory authority at the beginning of February 2020.
If the certification criteria are approved by the competent supervisory authority under Art. 57 (1) lit. GDPR, and if a cloud provider successfully passes a nationally approved certification procedure, it is entitled to use a certification seal as a result of the (successful) certification attestation. However, the cloud provider may only use this certification seal in national business transactions, because the scope of this certification seal is limited to the territory of the respective Member State. For technologies such as cloud computing, which are offered on a cross-border basis, national certification procedures offer limited benefits. Since the Europe-wide certification promises great advantages especially for cloud computing due to the transnational cloud services market, AUDITOR is striving for Europe-wide recognition as a cloud-specific certification mechanism in the future.
The interdisciplinary, application-oriented research project AUDITOR (FKZ: 01MT17003G) is funded by the German Federal Ministry of Economic Affairs and Energy on the basis of a resolution of the German Bundestag.
The AUDITOR criteria catalogue and other documents have all been published and can be downloaded from the following link: www.auditor-cert.de/publikationen/
Further information: www.auditor-cert.eu
- Maier, N., Lins, S., Teigeler, H., Roßnagel, A. & Sunyaev, A. (2019). Die Zertifizierung von Cloud-Diensten nach der DSGVO. In: Datenschutz und Datensicherheit (DuD), 43 (4), p. 225- 229. DOI: https://doi.org/10.1007/s11623-019-1097-3
- Schneider, S. & Sunyaev, A (2016). Determinant Factors of Cloud-Sourcing Decisions: Reflecting on the IT Outsourcing Literature in the Era of Cloud Computing. In: Journal of Information Technology, 31 (1). DOI 10.1057/jit.2014.25
- Lins, S., Grochol, P., Schneider, S. & Sunyaev, Ali (2016). Dynamic Certification of Cloud Services: Trust, but Verify! In: IEEE Security & Privacy, 14 (2), p. 66-71. DOI 10.1109/MSP.2016.26
Prof. Ali Sunyaev (email@example.com) is Director of the Institute of Applied Informatics and Formal Description Methods (AIFB) and Professor for Computer Science at the Karlsruhe Institute of Technology (KIT). His research interests are trustworthy Internet technologies as well as complex health IT applications. His research work accounts for the multifaceted use contexts of digital technologies with research on human behavior affecting Internet-based systems and vice versa.
Heiner Teigeler (firstname.lastname@example.org) is a PhD student at the Research Group Critical Information Infrastructures (cii), Institute of Applied Informatics and Formal Description Methods, Karlsruhe Institute of Technology (KIT), Germany. His main interest in the field of information systems research is the (continuous) certification of cloud services. Furthermore, he is working on research in the field of fog and edge computing.
Sebastian Lins (email@example.com) is a PhD student at the Research Group Critical Information Infrastructures (cii), Institute of Applied Informatics and Formal Description Methods, Karlsruhe Institute of Technology (KIT), Germany. His main interests in the field of information systems research are the (continuous) certification of cloud services and distributed ledger technology as well as understanding and enhancing the effectiveness of IS certifications.
Research Group Critical Information Infrastructures, Karlsruhe Institute of Technology
The Research Group Critical Information Infrastructures at the Karlsruhe Institute of Technology (KIT) is led by Prof. Ali Sunyaev. The group's main research contexts are reliable, secure, and purposeful software and information systems within the scope of critical infrastructures, innovative health IT applications, cloud computing services, blockchain technologies, and auditing/certification of IT.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.