The General Data Protection Regulation (GDPR) harmonizes the rules for the processing of personal data by private companies and public authorities throughout the EU. This forces many organizations to think again about the cloud strategy.
Without cloud services, many companies would now be silent, whether in the financial industry, in the healthcare sector, or in public administration. One of the important questions often asked by the IT managers of these companies is that of data protection and data security. What happens to my business critical data and services in an emergency? How fast are they restored? And who guarantees me sufficient security?
There will also be numerous additional regulatory requirements. In May 2018 at the latest, all companies active in the European Economic Area should expect some more regulation: the General Data Protection Regulation (GDPR) of the European Union, adopted in April 2016, will impose a set of rules for the processing of personal data by private companies and public bodies throughout the EU.
It may seem as if there is still plenty of time before 2018, but the number of IT implementations and the complexity of the IT networks and data storage built up by companies over time can actually limit the time one has for implementation. And please take note: there hardly is anyone who will not be affected by the GDPR, because it applies to all companies and organizations that offer EU-based personal goods or services, regardless of the place of operation.
Therefore, it is worth knowing right now what the many new provisions of the Data Protection Basic Regulation mean in detail:
Data protection in design and as a standard
- Until now, companies have been compelled to adopt “appropriate technical and organizational measures” to protect personal data. In the future, the GDPR will also oblige companies to provide evidence that the measures taken are constantly being reviewed and updated.
- In addition, companies must prove that data processing processes already have appropriate protection measures through the design, and that, in principle, personal data is only processed where this is absolutely necessary.
Data Protection Impact Assessment
- Companies will be compelled to carry out a data protection impact assessment concerning the planned processing operations if it appears likely that processing results hold high risks for privacy. In such cases, the competent data protection authority must be consulted.
Compulsory notification of data
- All companies must report data violations within 72 hours.
- In the case of a data breach with high risks for privacy, the affected persons must also be informed.
Apart from these technical details, the GDPR also forces many organizations that use cloud services. It obliges companies not to store or transfer personal data in countries outside the European Economic Area if they do not have at least as high a level of protection as the EU has. These requirements cannot be fulfilled in such a short time, especially by many large cloud providers, since they usually store and process data from European customers outside the EU – often without their knowledge. The list of countries that meet European privacy standards also is very short. Just 11 countries can be found – and the USA, where nearly 70 percent of global cloud providers have their headquarters, is not among them.
Especially for customers of US cloud providers, there is a need for action due to the new regulations. A 100 percent European provider gives more security here to meet the requirements of the future.
We at Safe Swiss Cloud are adamant that a regulation such as the General Data Protection Regulation is not just a call for action in order not to have to pay high fines – it is also a great opportunity. Companies should recognize that privacy, security, and compliance with the highest standards are highly important brand distinction features. And that is where we would like to accompany our customers to.