On May 25, 2018 the General Data Protection Regulation (GDPR) will come into force across Europe. It will ensure better protection of personal data and at the same time it will bring immense challenges: Companies have to ensure that they comply with the stricter rules. And that is even if they host data in public clouds and operate across countries and continents. In a speech at the OpenStack Summit 2017 in Boston Sebastian Wenner of T-Systems explained what companies that want to use the public cloud have to do now to comply with the new regulation.

The GDPR is replacing the old EU Data Protection Directive, which has been in place for 22 years. Its aim is to clearly regulate how personal data is collected, processed, stored, deleted, transferred and used. Violations of the new regulation will result in severe penalties, something that poses a serious risk to companies. However, Wenner has tips for how companies can protect themselves: “Anyone using cloud technology should definitely be using open source products rather than proprietary solutions.” For example the Open Telekom Cloud, which is based on the OpenStack operating system. “There are no backdoors here through which the manufacturer has unnoticed access. The user has a complete view of every element and can check the security protections,” the cloud expert says.

Who, though, is actually affected by the GDPR? “It’s really quite simple,” Wenner says. “If a company does any business within the EU or stores data here, then the place of jurisdiction is the EU and the GDPR applies.” Many companies, however, have their headquarters in countries with relatively weak data protection laws, such as Ireland. Other countries also have long failed to meet the EU standards, as this interactive map by the market research firm Forrester Research shows. “There’s a lot of work to be done here until the new rules are implemented,” Wenner says.

The solution? “Companies have to take responsibility,” Wenner says. To do that, they have to take a close look at all the different layers of their own cloud solution.

How it’s done: It is important to pay attention to secure encryption at the lowest level – that of the operating virtual machine (VM).  Furthermore, the cloud provider should have the correct certificates issued by trusted organizations such as the TÜV or the Cloud Security Alliance.  The operator’s team must be made up of trained, attentive and certified personnel. When it comes to the data centers, apart from trained staff, it is essential that there are physical security measures, such as access controls. Of the utmost importance, however, is a secure Internet transfer: If the connection is not sufficiently protected and encrypted, then data or systems could be compromised – regardless of how well the other layers are protected. “The bottom line: Think about all the access points where your data could be threatened and secure them,” Wenner says.

Sebastian Wenner’s full speech on the subject of GDPR is on YouTube. You can find further interesting information on the topic here: The 4 most important questions about the EU’s new data protection regulations.