How companies work in the cloud in compliance with the GDPR

Data protection presents companies with many challenges, but the cloud helps with compliance with standard services. With the right security concept, even sensitive personal data or intellectual property can now be transferred to the cloud in encrypted form and stored there securely. Centralized data storage also helps with the right to be forgotten and the right to information. More and more companies are using the cloud for reasons such as efficiency, IT skills shortages, agility and innovation. However, the migration of workloads also raises the question of data protection compliance. Many companies are concerned because data protection in Germany is not handled with complete transparency. Data protection is a matter for the federal states. Each federal state has its own data protection officers, who act with varying degrees of intensity and "aggressiveness". The fear of being spotlighted as a negative example during spot checks is also so great because data protection is perceived as a gray area. It is often not clear down to the last detail what is legally permitted - and what is not.  

The good news is that with a well thought-out security concept, GDPR compliance is feasible even in complex scenarios. A wide range of AWS standard services for security, data security, IAM (identity and access management) and data integrity are already available to meet data protection requirements. The IDG study "Cloud Security 2021" (Link: https://www.computerwoche.de/a/das-bild-von-cloud-sicherheit-stimmt-noch-nicht,3550978) shows that a good 60% of the almost 400 companies surveyed see the cloud as an opportunity to improve security.  

The data does not leave the EU  

When deciding on a cloud migration, the first question is where the data should be stored. The largest AWS data center in Frankfurt is usually chosen, but other regions such as Paris or Stockholm are also suitable: The General Data Protection Regulation applies in the EU. Providers such as AWS are committed to CISPE, the Code of Conduct for Cloud Infrastructure Services (link: https://cispe.cloud/code-of-conduct/). A techconsult Ionos study (link: https://cloud.ionos.de/reports/techconsult-gaia-x-studie-2021) from last year shows that 56% of the 207 companies surveyed rely on German cloud data centers, 31% on data centers in the EU.

All data is stored in encrypted form  

The second important principle for data in the cloud is encryption. This task is covered by the AWS KMS (Key Management Service): The KMS offers various approaches: With the Customer Managed Key, the customer retains access to the keys themselves and manages them in their infrastructure. Otherwise, the keys are managed securely in the cloud environment. Of course, personal data in particular should not be publicly accessible if possible, but there are many gray areas here. However, solutions can also be found for complex challenges relating to personal data (Link: https://aliceandbob.company/work/case-study-socialmedia-s3-asset-playout-gdpr-comliant/) solutions can be found: For example, when it comes to profile pictures, which are also considered PII (personally identifiable information). Alice&Bob's Secure Asset Server can ensure that data in a content delivery network (a group of geographically distributed servers) is always delivered encrypted - and encrypted - in the EU. The solution ensures that there are no significant delays in this process, even at the Australian location.  

 ‍

As vigilant as a hawk: Guard Duty and Co.     

AWS is already strongly focused on data protection. (Link: https://aws.amazon.com/de/compliance/gdpr-center/). One of the most important services here is Guard Duty. The service enables threat detection monitoring, which observes exactly what is going on in the infrastructure: is an employee behaving differently than usual or, for example, are many requests being made to download profile pictures? Macie's monitoring service is also very powerful. Macie can automatically detect whether personal data such as credit card numbers are involved and analyze a variety of log files. As soon as a "clear name" or card number is detected in a log file, a message is sent that the app in question has been incorrectly configured. AWS Inspector, on the other hand, monitors whether the configuration of the services used has been carried out correctly. Here you can select which rules should be checked, such as PCI DSS for payment service providers or GDPR. Inspector points out anything that contradicts data protection best practices. With AWS Configuration Rules, predefined rules can also be checked continuously and a notification is sent via Slack or email in the event of problems.  

Use supplementary agreements such as SCC  

In cooperation with cloud providers and service providers, the agreement on commissioned data processing, in which the service provider excludes the use of the data itself, is also important. Additional contractual agreements are set out in the data processing addendum or in the SCC (standard contractual clauses). This is particularly important if a company works with a large number of service providers on the Internet, such as a comparison portal. Tables must then be kept on the context in which personal data occurs. In addition, the GDPR compliance of the individual partners must be contractually ensured.  

Data protection is easier in the cloud     

The cloud offers important advantages: Tools that have to be purchased and managed separately on site are often available free of charge. All services are integrated with each other, the cloud storage and the databases from the outset. Required audits and certifications are easy to implement, especially with well-known providers such as AWS. Many tasks can be easily outsourced in the form of managed security services if required and if there is a shortage of IT staff.  

The right to be forgotten: Obligations to erase    

The right to be forgotten and the right to know what data is stored about a person are very similar in practice. Both pose real challenges for companies. For implementation, especially in complex contexts such as online retail, separate teams are often still required to manually - and therefore error-prone - check which personal data is stored in which processes. Instead, the data should be stored as centrally as possible. Tools such as Octa help to manage end customers' accounts. All services used then access the customer data centrally. By being able to view the history of stored data at the touch of a button, consumer rights and deletion obligations can be guaranteed much more easily.  

Data minimization and privacy by design     

However, it is fundamentally important to take a critical look at the flood of data in the company. In order to implement legal requirements such as privacy by design and privacy by default, it is fundamentally necessary to rethink marketing and sales. This is because the principle of data minimization associated with the legal requirements contradicts the desire to collect more and more customer-related data in order to evaluate it later. When selecting new SaaS solutions and third-party providers in the cloud, it should therefore already be checked during the selection process how the potential partners are positioned with regard to the GDPR.  

Avoid rookie mistakes: Evaluating safety     

Caution is always required when handling cloud data so that, for example, customer data in an S3 bucket does not inadvertently become public or services such as Elastic Search do not violate the GDPR. To avoid classic data protection errors, service providers such as Alice&Bob offer a security assessment. This also includes integrating automated checks into customers' CI/CD development environments in order to avoid errors. Despite the hurdles, experience from many projects shows that Consistent data protection in the cloud can definitely be implemented with a holistic concept (link: https://aliceandbob.company/whitepaper-migration-2021-10/).

‍