GDPR Compliance of Companies: Challenges in the Use of Cloud Services

Getting compliant with data protection requirements for data storage and processing is already a major challenge in a company’s own data center, but this applies even more when third parties such as cloud service providers are brought in to support data processing. In fact, the private sector and even the public sector are increasingly turning to cloud services for resource consolidation to significantly reduce costs and the complexity of IT infrastructure (if it goes well…), data center operations, and end-user support.

At the same time, new challenges and risks arise that also need to be dealt with in a different manner. The EU General Data Protection Regulation (GDPR) confronts cloud service providers and cloud customers with new requirements, such as the right to erasure, rectification, and portability, which is difficult to implement, and not only from a technical perspective. Another new aspect appears with the model of shared responsibility regarding the protection of personal data along the whole “cloud supply chain”. In short: the cloud customer remains in principle accountable towards the data subject insofar as they must demonstrate their fulfilment of the GDPR requirements.

However, all involved cloud providers must prove with appropriate tools and measures that they meet the GDPR requirements, too. And: depending on the data processing structure, cloud providers may also be accountable themselves if they can determine the purpose, means, and conditions of processing. 

This is why the role of the cloud service providers in this chain must be made clear to all actors and legally confirmed. So, the entire “cloud supply chain” is accountable as a whole and must be able to prove compliance accordingly – towards the data subjects and the supervisory authorities.

The GDPR regulates two types of proof of compliance: certification and (approved) rules of conduct. Certificates may be issued by accredited certification bodies but, according to the GDPR, also by supervisory authorities. Recently, the criteria for certification have been approved by the EU supervisory authority, the European Data Protection Board (EDPB), allowing certification bodies to obtain accreditation. In addition, compliance schemes – e.g. from the Auditor research project – have been developed and published. This is all very well, but the truth is that currently there are no certification providers available. Another issue that may arise with the certification is the costs. Certification is expensive, especially from SMEs’ point of view. Although it is assumed – especially by the EU, the Member States, and industry associations – that certified compliance poses a competitive advantage, whether this can be monetized to the announced extent will only become apparent in the long run.

Against this background, approved rules of conduct represent a cost-effective alternative. Approved codes of conduct considering the specifics of the industry, for example, may be developed by industry associations and then need to be recognised by a European supervisory authority. An example of this is the GDPR Code of Conduct of the Cloud Security Alliance (CSA). This framework makes it possible for cloud providers to structure the protection level for personal data and to obtain an indication of where improvements may need to be made. Cloud service providers who meet the requirements of the CSA’s code of conduct can have their compliance confirmed by the CSA with a trust mark. Additionally, the self-assessment document is published on the CSA website.

At the same time, the self-assessment provides potential cloud customers with an instrument with which they can evaluate and compare the protection level for personal data of different cloud providers. Cloud providers should have a strong interest in ensuring that potential customers can obtain this information – not only to comply with the fundamental GDPR principles of transparency and accountability, but also to build trust. The GDPR code of conduct of the CSA should not only serve as a self-assessment framework but is planned also to be included in an EU-wide register of approved rules of conduct after they have been approved by the French supervisory authority CNIL.

Even though this framework has an easy-to-use structure, is accompanied by a guideline, and is based on proven and well-recognized schemes, there is uncertainty among cloud providers as to which information they can use or is needed to prove compliance with all required criteria, as initial experience has clearly confirmed. Not surprisingly, there is a gap between the practical and fundamental secure provision of a cloud service and the ability to break it down into bite-sized pieces that fit with the respective criteria in an understandable and precise manner from the point of view of data protection. A pure product description is not enough. Cloud customers can also not be expected to be able to “translate” the result of a self-assessment as proof of compliance. In this respect, a self-assessment also requires external support – but with less effort and lower costs than arising in a certification process.

In a nutshell: although the “self-assessment” instrument is not (yet) so familiar in the German legal system/culture, this does not lower its impact. In contrast to expensive and time-consuming certification processes, self-assessments are a good way for SMEs in particular to achieve certainty in dealing with the cloud and GDPR. Nevertheless, they require a comprehensive understanding and extensive knowledge of the IT/cloud infrastructure used. Self-assessments therefore require corresponding competencies, which are often not available to the extent required, but can be provided by external consulting services.

The aim of eGovCD is to make our expertise and competence available precisely in that regard, and to accompany and support the self-assessment process. eGovCD uses a standardized procedure for the GDPR compliance audit, which consists of five modules. As a result, the modules can be provided separately. Our aim is to enable companies to adequately meet the requirements of the GDPR, i.e. to reduce risks by means of analysis, examination, risk assessment, and even accompanying the implementation of measurement and the proof of GDPR compliance. Based on many years of experience with a broad range of clients – from small companies to market leaders, and through to public institutions – eGovCD is very familiar with the specific economic, political, and legal environment. This in-depth understanding not only allows us to adequately answer the questions our clients face in this context, but also to jointly develop and implement successful solutions for all such issues.

Stefanie Köhl specializes in information security and data protection, especially in the context of digitization processes in the private and public sectors. Since 2017, she has been the managing director of eGovCD, where she is the first point of contact for customers in the conception and implementation of digitization strategies, especially in the context of cloud security and GDPR compliance.

Heidrun Müller has many years of expertise in the areas of IT security, information and process management. The focus is on cloud technologies and data protection. For more than 10 years, she has supported commercial and public clients in the implementation of digitization projects. She holds the certificates “Lead Auditor Training CSA CoC for GDPR Compliance” and “Cloud Security Knowledge” of the Cloud Security Alliance.