On behalf of T-Systems, Daniel Fussy devoted a lot of time and energy to getting the Open Telekom Cloud certified in line with the requirements of TCDP 1.0 (Trusted Cloud Data Protection Profile). On August 8, T-Systems was awarded the certification. He explains in this interview what this means for the Telekom Open Cloud and what role the certificate will play regarding the EU's future General Data Protection Regulation (GDPR).
Daniel, can you tell us briefly what the TCDP 1.0 certificate is?
Daniel Fussy: As its name suggests, TCDP covers data protection. It is tailored to suit the German market and is the "hardest" certificate on the market. Approved by the German economy and energy ministry, it is also accepted by government institutions that impose strict standards on the processing of personal data.
What does the term "hardest certificate" mean?
Daniel Fussy: If we compare TCDP with, for example, the widely used ISO 27018 certificate, we notice one essential difference: No accreditation body monitors the ISO 27018 certificate. It is ultimately an arrangement between the service provider and auditor. DAkkS is the national accreditation body for Germany, and it plays a role in the TCDP accreditation process as it monitors the auditor's activities. Instead of being managed by two parties, three are involved, which ensures that the certificate has the greatest possible level of authentication and effectiveness.
What role does this high level of authentication play?
Daniel Fussy: We shouldn't forget that data protection legislation places liability on whoever owns the data, the party commissioning data processing. Certification as per TCDP does not release anyone from the ensuing obligations. As a result, when a company transfers data to a contractor for processing, the former's employees who bear responsibility for this data need the toughest guarantee that nothing will go wrong. In such a situation, involving DAkkS as an impartial third party raises the trustworthiness of this process considerably.
If you do an internet search for certified companies, you'll only find four of them, and their certificates are all version 0.9.
Daniel Fussy: That's right. Four companies obtained certification very quickly, but at the time, there was no certificate that complied with the requirements of next year's GDPR (General Data Protection Regulation). Along with the official accreditation previously mentioned, the switch from 0.9 to 1.0 also saw the introduction of what is known as the "restorability level".
What role does TCDP accreditation play regarding the GDPR?
Daniel Fussy: The certificate attests that the Open Telekom Cloud is currently one of the few cloud offerings on the market to have a legally compliant data protection certification for defined cloud services.
Two specifications are displayed on the certificate's logo. What do they mean?
Daniel Fussy: For one, they show information about data protection classes. The Open Telekom Cloud, for example, allows data processing up to protection level 3, the highest certifiable data class. For another, they also show the restorability level, again subdivided into three classes: Normal, high, and very high. As the Open Telekom Cloud is operated from two separate computer centers located some 10-30 km apart, we guarantee a very high level of restorability. The architecture provides optimum catastrophe prediction capacities coupled with minimum latency.
Who benefits from TCDP?
In the first instance, every company in Germany benefits from guaranteed data protection. In addition, every public body accepts the certificate. Looking outside of Germany, it of course benefits companies operating around Europe. By switching to a TCDP-certified provider today, they will automatically meet the GDPR requirements that will be in place starting May 2018, and they will also be on the safe side in terms of data protection. It will be interesting to see how US providers react to this challenge.