Data protection in the Cloud - How do Providers Implement the GDPR?

In order to remain competitive and to be able to deal with the constantly growing amounts of data, more and more companies are moving their applications to cloud systems. There they remain scalable and secure. However, since most providers are mainly from the USA, doubts about data security are always present. Many worry that data protection in the cloud is not sufficiently guaranteed. The fact that Google has a reputation as a data octopus makes the issue even more explosive. But what is the truth behind these concerns? How do companies like AWS or Google implement the GDPR?

Data Protection in the European Union

The General Data Protection Regulation (GDPR) is a European Union regulation. It unifies the rules for the processing of personal data by private companies, but also public institutions in the EU area. The aim is to ensure the protection of personal data within the European Union and to guarantee the free and secure movement of data. Violations are severely punished, with fines quickly running into the tens of millions. In order to maintain the confidentiality and integrity of data while accessing a GDPR-compliant cloud, data storage, archiving and management must be encrypted.

Location is Crucial

Those who choose cloud providers from EU countries can be sure that the processing of company data is data protection compliant according to the requirements of the GDPR. However, the largest and most widely used providers come from the USA. There, data protection is treated far less critically and sanctioned. The top dogs Amazon, Microsoft and Google have data centres that are spread all over the planet. However, since the GDPR is a European directive, customers should make sure that the data does not leave the sphere of influence of the General Data Protection Regulation (= the European Union). Customers should therefore make sure that their data is stored in European data centres. A transfer of personal data to other EU countries is only permitted if the country guarantees data protection similar to that in the EU.

The user Himself is in Charge

What few people realise is that when it comes to data protection, it is not only the cloud service provider, for example Microsoft in the case of Azure, that bears the responsibility, but also the customer who books the service with Microsoft. Those who outsource the processing of data to third parties cannot completely escape responsibility. Article 28 of the GDPR regulates the cooperation with customers and the cloud service provider. It is the customer's responsibility to ensure that the cloud handles the data in a GDPR-compliant manner.

Data Protection at Amazon

Amazon's AWS uses a lot of methods to protect customer data in the best possible way. These include, for example, certifications to various compliance programmes such as PCI DSS, ISO 27001 or SOC 1/2/3, which are regularly reviewed by independent auditors to confirm the cloud's compliance with the GDPR. AWS supports its customers with services and resources to meet the requirements of the regulation. For example, the cloud platform enables its users to take comprehensive measures to encrypt content even better and avert potential threats. However, companies must also protect the content they operate on the platform themselves. This division of tasks is known as the "shared responsibility model".

GDPR at Azure

The will to comply with European Data Protection laws is also present at Microsoft. A comprehensive catalogue of rules is intended to prevent personal data from falling into the wrong hands. With Azure Information Protection, Microsoft offers an integrated solution for end-to-end data protection during storage and transmission of content. Users also benefit from the Microsoft Compliance Manager, which collects details of the legally prescribed controls implemented by Microsoft. The user is shown these centrally on a dashboard and can see possible improvements in terms of data protection in the cloud at a glance.

Data Protection Regulation Compliance on the Google Cloud Platform

How does this look at Google? How secure is the GCP with regard to the GDPR? Due to the high fines of up to 20 million euros in some cases, Google also had no choice but to make its own Cloud GDPR-compliant. This was not least due to a conviction of the company for lack of transparency with the smartphone operating system Android (the company has so far not been guilty with the cloud). In order to meet the critical point already mentioned with the transfer of personal data to other EU countries, Google makes use of corresponding certifications and contracts for the processing of data abroad. On its own website, the company also provides extensive information about the measures it takes to comply with the requirements.

Conclusion

Companies operating in the cloud should not take the issue of data protection lightly. The penalties can be draconian and the increasing number of sanctions in recent years is a deterrent. Companies like Google cannot afford to sweep the issue under the digital carpet.