What impact will the changes brought about by the GDPR have on cloud solutions?

Prof. Ali Sunyaev : As helpful as digital solutions may be in dealing with the highly complex and fine-grained processes in companies, the GDPR now requires us to take a closer look: This is because strict regulations must be adhered to wherever data is generated, processed, stored or transferred to third parties for further processing.

For personal data, i.e. all information relating to an identified or identifiable natural person - such as customer, bank or online data - the European Union has manifested the applicable regulations in the GDPR. It is expressly intended to harmonize the previously diverse European laws on data protection and privacy. This has implications for companies of all types, sizes and sectors. Logistics and transport are not immune to it either - after all, personal data is generated along the entire value chain. The GDPR, which comes into force on 25 May 2018, standardizes national regulations, such as the Federal Data Protection Act applicable at national level, and replaces them with EU-wide standardized requirements for the processing of personal data.

What is the threat to companies if they fail to comply with the new requirements?

Dr. Marius Feldmann: To ensure long-term compliance in all EU countries, national authorities are authorized to impose sanctions of up to 4% of a company's total global annual turnover or up to 20 million euros, whichever is higher. This is no mean feat. If they have not already done so, companies are therefore strongly advised to check whether they are processing personal data and whether they are already complying with the GDPR regulations.

Can you give an example of where compliance with the GDPR is difficult to implement?

Sunyaev : The devil is often in the detail, because logistics in particular often involves complex distribution processes that are carried out by a large number of companies and subcontractors. A simple delivery of goods, such as a washing machine, can quickly involve several freight forwarders or carriers: from the manufacturer to the warehouse, from the warehouse to the customer's freight forwarder, and from there to the customer themselves. They all usually have access to the customer data via synchronized systems or corresponding interfaces; at the same time, other personal data such as that of the responsible driver or clerk comes onto the screen. The chain shows that every link is involved in data processing - and must therefore also comply with the new GDPR requirements.

Where is personal data usually stored?

Sunyaev: In the course of digitalization, companies do not process and manage their data exclusively in their own data center on site, but often with third-party providers in the cloud in order to benefit from lower costs for IT infrastructures, greater agility in day-to-day business - for example when transferring and sharing customer data - and the associated competitive advantages.

What should be considered when selecting a cloud provider in the future?

Feldmann : Cloud providers are a dime a dozen these days. Finding the right long-term partner for your applications is particularly difficult, as it is often not clear whether the strict provisions of the GDPR are actually being adhered to by the specific cloud provider. Certificates can provide a remedy here by putting the providers of virtual IT resources through their paces from both a technical and organizational perspective and providing transparent and objective proof of compliance with the requirements of the GDPR. Although there are already a large number of certifications for cloud services on the market, these follow individually developed criteria catalogs and do not yet allow for a uniform compliance check with regard to the GDPR.

Dr. Marius Feldmann, Cloud & Heat Technologies: "Data protection certification of cloud services is essential."

© Cloud & Heat Technologies

And this is where the Auditor research project comes in. What exactly is it about?

Feldmann: In order to bring light into the darkness of data processing and create clarity in the jungle of seals of approval and certifications, a uniform, recognized data protection certification of cloud services is essential. This is why the project was launched. Several German companies and research institutions, under the leadership of Prof. Dr. Sunyaev from the Karlsruhe Institute of Technology, have dedicated themselves to this issue on a special commission from the Federal Ministry for Economic Affairs and Energy. The aim is to develop an EU-wide standardized data protection certification for cloud services and to test it in practice. All relevant aspects such as responsibilities, transparency obligations, liability and control mechanisms are to be considered against the backdrop of the new GDPR in the funding project, which will run until the end of 2019.

Many of the currently recognized certification bodies have been brought on board to benefit from their practical expertise: The company Datenschutz Cert, the DIN Standards Committee for Information Technology and the Eurocloud Germany association are also involved. In addition, Prof. Dr. Alexander Roßnagel from the University of Kassel is leading the development of the certification from a legal perspective. The project is further supported by a large number of associated partners who contribute their practical experience and knowledge to the project. Auditor builds on its predecessor, the Trusted Cloud Data Protection Profile - TCDP for short - which is a recognized testing standard for data protection requirements of the BDSG for cloud services.

What is the roadmap for the project?

Sunyaev: The project consortium is currently deriving new requirements and certification criteria based on the GDPR. For example, stricter documentation and accountability obligations now apply to companies that store personal data. Companies are now obliged to keep a record of all data processing activities. The next step is to work out how these criteria can be checked and compliance with them verified. To return to logistics, for example: Here, possible criteria include not only checking that the names and addresses of the recipients of goods along the supply chain are adequately protected. Internal data from logistics companies - such as GPS movement data from delivery vehicles and other tracking options for the company and its customers - must also withstand an audit of data protection-compliant transmission, processing and analysis in cloud services.

The developed Auditor procedure will then be tested by cloud service providers, including Cloud&Heat, Ecsec and Hornet-Security, and a corresponding business model for the continuation of the Auditor certificate will be developed. Only in this way can the consortium contribute to the creation of an EU-wide standard that is established in practice and thus provides companies and private individuals with lasting support for data security in the cloud.