The EU's new General Data Protection Regulation (GDPR) will enter into force on May 25, 2018. However, figures released by Bitkom, the business association of the German IT sector, suggest that only 13% of German companies have made suitable preparations, and one third have not even considered the GDPR's impact. Time is running out, so a growing number of companies are turning to public cloud solutions. While these solutions do not absolve business from their obligation to put the GDPR into practice, cloud solutions can provide considerable support when it comes to protecting data.
In this article you will read more about the following toptics:
- New options for storing and processing data
Privacy by design
Webcast and FAQ about the GDPR
Questions and answers on the GDPR
The EU's new General Data Protection Regulation (GDPR) is scheduled to replace Germany's existing data privacy laws in about six months' time. This has major implications for any company division that works with personal data, such as IT, HR, sales, and the legal department. The new legal framework cannot be ignored, and infringements will carry a hefty fine. Previously, penalties were in the region of 50,000-300,000 euros, but, depending on the gravity of a given case, contravening the GDPR can incur fines of 2-4% of a company's global revenue, or 10 million euros at the very least.
New options for storing and processing data
As yet, there is no model solution for how to implement the GDPR's requirements, but one thing is clear: The more processes take place online, the greater the workload for putting the data protection guidelines into practice. For scores of companies, the GDPR means having to look into new data storage and processing strategies because their current procedures fall short of the new requirements. Not just for reasons of data protection, the search for alternatives has revealed a clear trend towards public cloud solutions which meet the GDPR's requirements at least in terms of infrastructure and data processing procedures. This means that companies can concentrate on the organizational and legal issues which the GDPR also addresses.
Within companies, however, who is responsible for the GDPR's implementation and management? Most firms have not yet answered this and other fundamental questions. This is just one of the reasons that Deutsche Telekom has released its binding interpretations for the GDPR. They are based on Telekom's own experiences and best practices regarding this issue, so they provide solid orientation for companies that are exploring what the GDPR means to them and their operations.
Privacy by design
Public cloud solutions cannot release companies from the extensive responsibilities that arise from the GDPR, but these solutions can provide considerable assistance when working to adhere to new regulations. For example, the Open Telekom Cloud solution for corporate customers has at all times followed the principle of "privacy by design" as promoted by the GDPR. From the earliest concept design stages, the Open Telekom Cloud has therefore been based on the GDPR's principles for services and functions. Looked at in security terms, the Open Telekom Cloud also provides identity and Access management for all offered services. This option clearly defines unique, role-based access rights to stored data.
Server's location isn't everything
One important point about the Open Telekom Cloud is that all data is stored and processed only on servers located in Germany and the EU. While certain US firms active in the European market now offer the same thing, the GDPR imposes restrictions on data access as it is, after all, possible to link up with a server in Germany from a location in California. Telekom therefore ensures that access is permitted only from within the territory covered by the EU's legal jurisdiction. With this in mind, more people in Germany trust Deutsche Telekom than any other company when it comes to the storage and processing of personal data.
TCDP certificate confirms compliance with requirements
As early as August 2017, the Open Telekom Cloud received the German economy and energy ministry's TCDP 1.0 certificate, which attests that the Open Telekom Cloud is currently one of the few cloud offerings on the market to have a legally compliant data protection certification for defined cloud services.
Webcast and FAQ about the GDPR
"Ready for the GDPR", Heise Verlag's webcast with experts Frank Wagner (VP Business, Services & Infrastructure, Group Privacy, Deutsche Telekom AG) and Max Guhl (Open Telekom Cloud product manager, T-Systems International GmbH), offers a host of further information about the GDPR and Open Telekom Cloud. You can see the webcast here. Down below are questions (along with the answers) that the experts fielded during the webcast.
Webcast: "Ready for the GDPR – the Open Telekom Cloud as an alternative to US clouds"
Questions and answers on the GDPR
Is it GDPR-compliant if a US company provides access to its cloud portfolio within the EU when the server is located within the EU at the same time?
This is possible even if the servers are not located within the EU. What is more important here is adherence to the data protection legislation, for example concerning the conclusion of contracts that contain standard clauses set by the EU, or the guidelines or the EU-US Privacy Shield policy. When assessing the overall situation, it is important to factor in the potential access rights of the US authorities.
Won't the EU-US Privacy Shield soon be outdated just like the Safe Harbor agreement because Washington prefers to apply the provisions of the USA PATRIOT Act when in doubt?
This could well be the case. First of all, however, we should wait for the European Court of Justice to rule on the EU's standard contract clauses.
How can you ensure that government bodies, such as Germany's intelligence services, cannot access data on the Open Telekom Cloud, or at least cannot access it unless part of a specific investigation?
There are no interfaces that these bodies can use to access the information. Like everyone else, government institutions have to submit applications via Deutsche Telekom's specially designed procedures. Telekom's experts first check the legal justification provided by the applicant – normally, a request has to include a court order. Only when this check has returned a positive result can Telekom provide the applicant with the information they want.
Thinking about Deutsche Telekom's role as a trustee for Microsoft, is there really no way for Microsoft or American government bodies to gain technical access to data in Telekom's cloud?
Technical access is restricted to maintenance activities. This kind of access is issued to individual employees on a case-by-case basis. It is granted only for a limited period of time, and it is also monitored. The solution does not feature interfaces for government bodies.
When will Microsoft Office365 be available in the cloud in Germany?
T-Systems is also active in the USA, so how is it possible to prevent data access via this route?
Deutsche Telekom assumes that the company will not be obligated to release data via this route because the customers in question do not have contracts with T-Systems North America, Inc. and the parent company is headquartered in Germany. Anyone looking for information has to contact the company in Germany and so meet the requirements specified by German law.
How does Deutsche Telekom prevent the installation or operation of web applications or websites that were not developed securely? For example, is it possible that a website could, via the Open Telekom Cloud, store unencrypted address details from a registration?
Deutsche Telekom uses privacy and security assessments to ensure the security of your applications and services. Customers' applications have to be designed so that they do not endanger the security of the systems. This would definitely prevent a situation in which address details supplied during registration are forwarded and possibly stored without encryption. Responsibility lies with the customer. As the provider, Telekom would notify the customer if it were to find out about this.
Deutsche Telekom normally has no direct contact with its customers' end customers: Only the relevant cloud customer does. How does Telekom support these cloud users if, for example, they want to delete end customers' data or want information about it?
When Telekom is involved in the development process, it contributes its expertise in designing suitable solutions. However, responsibility ultimately lies with the cloud customer. Nevertheless, Telekom indirectly helps the cloud user by maintaining a platform that offers suitable deletion options, and the company advises its customers about the necessary functions, such as providing information.
Effectively encrypted data is always secure, so isn't the location of the cloud operations unimportant?
That’s absolutely right. If it is impossible to completely prevent access to customer data via operating processes, high-quality encryption featuring reliable key management procedures is the first choice. This approach could, however, restrict the solutions' ability to function as calculations are not (yet) possible with encrypted data. Future solutions could make use of homomorphic encryption.
Does using an Oracle database in the Open Telekom Cloud require dedicated hardware, or is it possible to use alternatives? What is the licensing model like?
Here, we would advise customers to contact Oracle to license usage in a shared cloud context. Telekom has already successfully used this approach as advice for two customers and supported them with Open Telekom Cloud services. Using dedicated servers (BareMetal) can be of tremendous benefit when simplifying negotiations.
Are there any options for using dedicated cryptoservers (e.g. Ultimaco) in the Open Telekom Cloud?
Regarding software and applications, Telekom's customers can incorporate anything that does not contravene contractual stipulations. What they cannot incorporate are physical modules, servers, and similar. Telekom is currently working on augmenting connectivity to permit networking with housing servers from the customer's side of operations.
Can the Open Telekom Cloud be used in conjunction with an on-premises solution to form a hybrid cloud?
Deutsche Telekom is currently working on designing an Open Telekom Cloud hybrid product. The goal is to create an on-premises environment within a customer computer center. It will match the "look and feel" of the Open Telekom Cloud, and additions can be made in a modular manner. It will be possible to use the on-premises and public components together so that resource bottlenecks on the on-premises side can be resolved seamlessly on the Open Telekom Cloud side.
Downloads and events about the GDPR
Files from the webcast (only available in german):
Further information about cloud computing and data protection from T-Systems' experts is available from the series of events "Cloud Computing & Data Protection at T-Systems".
Do you have questions?
We answer your questions about testing, booking and use - free of charge and individually. Try it! Hotline: 24 hours a day, 7 days a week
0800 33 04477 from Germany / 00800 44 556 600 from abroad