How companies work in the cloud in compliance with the GDPR

Autor: Freerk Ohling, Solutions Architect at Alice&Bob.Company GmbH 

Data protection presents companies with many challenges, but the cloud helps with compliance with standard services. Today, with the right security concept, even sensitive personal data or intellectual property can be transferred to the cloud in encrypted form and stored securely there. Centralized data storage also helps with the right to be forgotten and the right to information. More and more organizations are turning to the cloud for reasons such as efficiency, IT skills shortages, agility, and greater innovation. But when workloads are migrated, the question of data protection compliance also arises. Many companies are concerned because Germany’s data protection is not handled fully transparently. Data protection is a state matter here. Each state has its own data protection officers, who act with varying degrees of intensity and “aggressiveness.” The fear of them coming under the spotlight as a negative example in random checks is also so great because data protection is definitely perceived as a gray area. It is often not clear down to the last detail what is legally permitted – or not. 

The good news is that with a well-thought-out security concept, GDPR compliance is feasible even in complex scenarios. A wide range of standard AWS services for security, data security, IAM (identity and access management), and data integrity are already available to help comply with data protection requirements. The IDG study “Cloud Security 2021” (Link: https://www.computerwoche.de/a/das-bild-von-cloud-sicherheit-stimmt-noch-nicht,3550978) shows that a good 60 percent of nearly 400 companies surveyed perceive the cloud as an opportunity to improve security. 

The data does not leave the EU  

 When deciding on a cloud migration, the first and foremost question is where to store the data. As a rule, the largest AWS data center in Frankfurt is chosen, but other regions such as Paris or Stockholm are also suitable: In the EU, the General Data Protection Regulation applies. Providers like AWS are committed to CISPE, the Code of Conduct for Cloud Infrastructure Services (Link: https://cispe.cloud/code-of-conduct/). A techconsult-Ionos study (link: https://cloud.ionos.de/reports/techconsult-gaia-x-studie-2021) from last year shows: 56 percent of 207 companies surveyed rely on German cloud data centers, 31 percent on data centers in the EU. 

All data is stored encrypted  

 The second important principle for data in the cloud is: encryption. This task is covered by the AWS KMS (Key Management Service): KMS offers different approaches: With the Customer Managed Key, the customer itself retains access to the keys and manages them in its infrastructure. Otherwise, keys are managed securely in the cloud environment. Of course, personal data in particular should not be publicly accessible if possible, but there are many gray areas here. However, solutions can be found even for complex challenges involving personal data (link: https://aliceandbob.company/work/case-study-socialmedia-s3-asset-playout-gdpr-comliant/) can be found: For example, when it comes to profile pictures, which are also considered PII (personally identifiable information). For example, Alice&Bob’s Secure Asset Server can ensure that in a content delivery network (a group of geographically distributed servers), data is always encrypted – and delivered encrypted – in the EU. The solution ensures that there are no significant time delays in this process, even at the Australian location. 

Watching like a hawk: Guard Duty and Co.  

 AWS is already heavily focused on data protection. (Link: https://aws.amazon.com/de/compliance/gdpr-center/). One of the most important services to mention is Guard Duty. The service enables threat detection monitoring that keeps a close eye on what is happening in the infrastructure: Is an employee behaving differently than usual or are a lot of requests being sent to download profile pictures, for example? In addition, the Macie monitoring service performs well. Macie can automatically detect whether personal data such as credit card numbers are involved and analyze a wide variety of log files. As soon as a “plain name” or a card number is detected in a log file, a message is sent that the app in question has been misconfigured. AWS Inspector, on the other hand, monitors whether the configuration of the services used has been carried out properly. Here, you can select which rules should be checked, such as PCI DSS for payment service providers or the GDPR. Inspector points out anything that contradicts data protection best practices. AWS Configuration Rules can also be used to continuously check predefined rules, and in the event of problems, a notification is sent via Slack or email. 

Use additional agreements such as SCC  

In interaction with cloud providers and service providers, the order data processing agreement is also important, in which the service provider excludes using the data itself. Additional contractual agreements are set out in the Data Processing Addendum or in the SCC (Standard Contractual Clauses). This is particularly important if a company works with a large number of service providers on the Internet, such as a comparison portal. Tables must then be kept on the context in which personal data occurs. In addition, the GDPR compliance of the individual partners must be contractually ensured. 

Data protection is easier in the cloud  

 The cloud offers important advantages: Tools that have to be purchased and managed separately on premises are often available free of charge. All services are integrated with each other, cloud storage, and databases from the outset. Required audits and certifications are easy to implement, especially with well-known providers like AWS. Many tasks can be easily outsourced in the form of managed security services if required and IT staff shortages occur. 

The right to be forgotten: Obligations to delete  

 The right to be forgotten and the right to know what data is stored about an individual are very similar in practice. Both pose real challenges for companies. For implementation, especially in complex contexts, including online commerce, dedicated teams are often still needed to manually – and correspondingly error-prone – check which personal data is stored in which processes. Instead, data should be stored as centrally as possible. Tools such as Octa help to manage the accounts of end customers. This is where all the services used then access customer data centrally. By making the history of stored data visible at the click of a button, consumer rights, and deletion obligations are much easier to guarantee. 

Data economy and privacy by design  

 In principle, however, it is important to take a critical look at the flood of data in the company. In order to implement legal requirements such as Privacy by Design and Privacy by Default, it is basically necessary to rethink marketing and sales. This is because the principle of data economy associated with the legal requirements contradicts the desire to collect more and more customer-related data in order to analyze it later. When selecting new SaaS solutions and third-party providers in the cloud, it should therefore be checked during the selection process how potential partners are positioned with regard to the GDPR. 

Avoid Rookie Mistakes: Security Assessment  

 Care is always required when handling cloud data, so that customer data in an S3 bucket does not accidentally become public, for example, or the DSGVO is not violated with services such as Elastic Search. To avoid classic data protection mistakes, service providers such as Alice&Bob offer a security assessment. This also includes building automated checks into customers’ CI/CD development environments to prevent errors. Despite the hurdles, experience from many projects shows: Consistent data protection in the cloud can definitely be implemented with a holistic concept (Link: https://aliceandbob.company/whitepaper-migration-2021-10/).