The General Data Protection Regulation (GDPR) has been in force since May 25 and is causing uncertainty in many companies, especially those operating in different clouds. So much so that more than half of all respondents (54%) in a study believe that the requirements of the GDPR would be easier to meet if their company were to return to self-operated IT (on premise). At the same time, however, most know that the step into a digital future is not possible without the cloud. This is also confirmed by the ISG Experton Group in its ISG Provider Lens Germany 2017 Cloud Transformation/Operation Services & XaaS study. So what can be done to resolve this conflict and make multi-cloud landscapes GDPR-compliant? And how to select a provider that can provide secure support for GDPR compliance?

The challenges of data protection and security have become more complex with the GDPR, especially when companies store their information in various private and public clouds. All cloud users and providers must be able to provide complete proof of where personal data is physically stored and processed in order to protect it and be able to delete it at any time if necessary.

This makes it all the more important to consider the location of the data center where the data is stored. All personal data in the cloud should be stored and kept in data centers within the EU. With this approach, the EU wants to prevent the personal data of EU citizens from being transferred to countries whose rule of law principles do not meet the EU's requirements. This is intended to prevent information from falling into the hands of intelligence services, for example. If you want to be on the safe side, look for a provider with a data center in Germany. Thanks to many years of experience with the strict Federal Data Protection Act (BDSG), German cloud providers can guarantee that they also fully comply with the requirements of the GDPR.

Safe from the ground up

However, location is not the only criterion: providers who want to be GDPR-compliant must have highly secure data centers: The required protective measures include data feeds via a specially secured VPN (virtual private network), security locks and intrusion detection and prevention systems. In addition, data center operators are required to appoint a data protection officer who is available as a contact person for all security issues.

In addition, the GDPR recommends that the concepts of "privacy by design" (data protection through technology design) and "privacy by default" (data protection through data protection-friendly default settings) should definitely be part of the security concept: "Privacy by design" means that technology is already developed in a data protection-compliant manner, for example by automatically encrypting data during transmission. "Privacy by default" refers to the factory settings of hardware or software, which should meet the requirements of the GDPR from the outset and do not have to be set by the user.

A joint obligation

When deciding on a cloud provider, the protection of personal data in the cloud becomes the joint responsibility of the company (controller) and service provider (processor). This makes the data protection aspect essential when choosing a cloud provider. This is also impressively demonstrated by the latest Cloud Monitor 2018 from KPMG and Bitkom: 97% of all companies surveyed named GDPR compliance as a "must-have" when selecting a provider. But what precautions should companies and providers take to keep data in a cloud environment in compliance with the GDPR?

Encryption is the key to success

In order to ensure optimal protection of data, it should be processed during migration to the cloud in such a way that third parties can no longer use it. This can be achieved by means of anonymization/pseudonymization or encryption, for example. Data can then either no longer be assigned to its source or it can no longer be deciphered without the correct key. The advantage: the loss of data that can no longer be accessed by third parties has significantly fewer consequences under the GDPR than would be the case for openly accessible personal data.

If a loss of personal data does occur, this must be reported to the responsible data protection authority in the respective country within 72 hours of the data leak being discovered. In the case of particularly sensitive personal data (e.g. information on party or religious affiliation), the person concerned must also be informed. While the data protection authority must be informed in any case, this does not apply to the data subject if, for example, the data was encrypted.

The strict reporting deadlines also mean that the cloud provider must demonstrate a high degree of transparency. Only with a carefully developed compliance concept and comprehensive documentation will the company be able to meet the official reporting deadlines. After all, a cloud user can only meet their reporting obligation if the service provider informs them of a data loss in good time.

Securely into the cloud with teamwork

The current concerns in companies due to the GDPR must be taken seriously. However, the "birds of a feather" tactic is exactly the wrong approach: neither compliance with the GDPR nor switching to the multi-cloud are optional. A complete return to on-premise IT is only a solution in the rarest of cases, as it can barely meet today's performance requirements - let alone those of tomorrow. Those who forego the advantages of the multi-cloud in terms of flexibility, agility, performance and scalability must reckon with competitive disadvantages.

But there are many ways to make multi-cloud management GDPR-compliant. One example of this is MCOS (Managed Cloud Operating System) from T-Systems. This solution enables the various departments of a company to book their required resources (IaaS, PaaS, SaaS) completely independently at the touch of a button using self-service. This enables departments to adapt their IT landscapes agilely, independently and optimally to various requirements and to act in compliance with the GDPR.

Data center operators are required to appoint a data protection officer, according to Dr. Torsten Langner, digital consultant for T-Systems. © T-Systems

In times of digitalization and GDPR, those who take a well-considered approach when migrating to the cloud or choosing their cloud provider can look to the future with confidence. Choosing the right multi-cloud provider will also be even easier for companies in the future: experts are currently working on a GDPR certification that will enable cloud service providers to prove their GDPR compliance. It is being developed on the basis of the "Trusted Cloud Data Protection Profile" (TCDP), the certification that is explicitly based on the requirements of the German Federal Data Protection Act (BDSG). A recognized certification of this kind, which will be based on the GDPR in the near future, will increase transparency in the market. If companies and service providers can jointly demonstrate their compliance with the GDPR, all paths are open for successful and legally compliant digitalization.

The author: Dr. Torsten Langner is a digital consultant at T-Systems.