With the introduction of the DSGVO, the protection of personal data has moved back to the foreground. In this part of the three-part interview with Fresh Compliance, we have clarified for you how you as a business customer can work safely in the cloud and what you should bear in mind when choosing your cloud provider."
Many people - especially the young generation - are online all day. The focus is on social networks. Programs are no longer downloaded, but used directly on the Internet. This also means that their data and programs are stored in data centers and no longer on their own computers at home. The DSGVO aims precisely at this current era, with the intention that individuals can determine more about their data again and know what happens to their data. A good cloud provider is therefore transparent. It should communicate where the data is located, what happens to the data and how the data is protected. Does the cloud provider use open source software and encrypt the data using real end-to-end encryption? Ideally, does it even follow the zero knowledge principle? Very good!
"Just like with organic products, where it is important to me that they come from the region, it should also be important that my data remains in the region where I am located.“
In addition, the recommendation is very clear: host the data in Europe, i.e. choose a provider that stores the data in Europe. Now we are sitting here in Germany, so of course it makes sense to choose a cloud provider, who follows the laws in this country - a German cloud provider.
As soon as the customer is doing business, it is important, that a so-called order processing agreement (AVV) - formerly ADV - is concluded between him and the cloud provider. In the past, the responsibility for this was more on the customer side, now it is shared. This is why the provision of such an order processing contract also makes a good cloud provider. It contains all rights and obligations of both parties. Thus, the cloud provider insures with the conclusion of the contract e.g, that he implements appropriate data protection and data security measures.
Before the DSGVO, the TOMs only made it into the Annex of the Federal Data Protection Act, now they are very present as Article 32 in the DSGVO.
"TOM is the little brother of IT and Information Security."
TOM stands for the technical and organisational measures that companies can take to comply with the DSGVO. For example, security measures that regulate access control are listed to the server room or personnel file cabinets, as well as measures for encrypting data in the cloud.
As soon as at least ten employees in a company are constantly familiar with the automated processing of personal data, a data protection officer must be appointed, who will then also be mentioned in the AVV. The data protection officer is a person from the company, that reports directly to the managing director and can work without instructions. He should be reliable and have appropriate expertise in the field of data protection and must not be subject to any conflicts of interest. Therefore, the data protection officer is never the managing director himself, as is often mistakenly assumed. Since the topic of data protection is becoming increasingly complex in the course of the DSGVO and is increasingly developing into a legal and technical topic, the selected employee should also take part in appropriate training courses. Consequently, sufficient resources should be allocated to him so that he can carry out his work conscientiously.
What further changes will you face in the future and a summary of the most important points of the entire interview, you'll find in part 3 of our summary.
author: Christina Gluch