In May 2016, the new EU General Data Protection Regulation (EU-GDPR) took effect. Within two years, affected companies and in particular providers of storage solutions must ensure that their services conform to the new laws. For example, there is a requirement that the location of the server is no longer definitive for the application of the data protection directive, but rather the location of the user. This has wide-ranging consequences for the field of data forwarding, management, and potential necessity for future deletion. Violations can lead to fines in the millions. We explain the essential changes and potential consequences for your company so that you can take timely action.
Overview of the most important changes to the EU-GDPR
After years of discussion across Europe, the new EU General Data Protection Regulation was approved in May 2016. While it has the goal of strengthening the rights of EU citizens and protecting them against data abuse and security risks, some companies need to take substantial efforts to comply with the regulation. One of the essential changes is that when the data protection laws are applied, the location of the server is no longer definitive, but rather the permanent residence of the user. This means that EU citizens have some rights that can be more extensive than those of other users of the same services. Also important is that potential violations of the regulation threaten significant fines of up to 4% of annual sales or 20 million euro, whichever is greater. The fine can thus easily reach hundreds of millions of euros for large companies. This is because it applies to the annual sales of the entire company, not just an individual legal person or sub-corporation.
The new regulation of the data protection law does provide for individual national regulations in some cases. Overall, however, the regulation that took force on 25/05/2016 applies uniformly across Europe, with an initial grace period of 2 years, through May 2018.
Check early whether your data is affected
Does your company keep sensitive customer data? Do you have plans to upload it to a public cloud, or have you already done so? This can be a security risk. Even if you delete it later, it is possible that the cloud provider will not cooperate fully and the data will not really be deleted. According to a study performed by IDG Research Services in 2016 about cloud security1, data loss and stolen data, in addition to other issues, are near the top of the list of potential security risks in cloud computing. Most of these risks primarily affect external cloud providers located outside of Germany, but overall it is clear that it is better to leave your data right where it belongs: within your company!
Other important changes within the new regulation that affect both your business customers and potential end customers are:
- Consent & right to information: Customers of your company must explicitly consent to the storage of their data and can request information at any time about what information you have stored about them.
- Data transferability: Customers should have the principle ability to transfer their data, exactly as they are, to another provider. How exactly this is to be done has not yet been clarified.
- Right to be forgotten: Customers of your company must have the ability at any time “to be forgotten”. This means that all data that relates to the customer and is not needed (anymore) to execute the business relationship must be deleted by you upon request. This applies not only to the master data, but also ordering histories, complaint records, and sales numbers. If you have already transmitted the data to third parties, you must also actively see to it being deleted for the affected party and must confirm the same to the affected party.
- Minimum age: Depending on the member state, your customers must have reached a minimum age of 13 or 16 when registering, and this must be proven by suitable means.
- Local complaints: Customers can report incidents to their local data protection office in their own language, and do not need to address you directly.
- Discovered security gaps and successful hacker attacks: These must be reported to the responsible authorities immediately, and not just in critical cases, if customer data is affected.
- Operational data protection officer: It is mandatory to assign one, if you pursue activities that can involve data protection risk (for example, if you collect bank and bank account data).
- EU representative: Foreign companies without a location or headquarters in the EU must assign an EU representative in most cases.
Differences between data protection law in the US and Germany
While the essential laws about data protection in Germany and Europe are derived from the fundamental right to informational self-determination, data protection in the USA is more a result of consumer protection laws. The converse argument implies that on the other side of the Atlantic, data protection is viewed more pragmatically and companies are subjected more to negotiated agreements than to strictly regimented laws.
The main differences between the two continents look like this:
|Germany / Europe||US (+ some other countries)|
|Federal Data Protection Law (BDSG), EU-GDPR||Data protection has no legislative foundation|
|Subject to EU rules and regulations||US government has wide-ranging freedom of action to monitor data traffic thanks to the “Patriot Act”|
|Data secrecy is largely ensured||Data secrecy as such is pretty much unknown|
|Right to informational self-determination||Self-regulation of market participants|
|Federal Office for Information Security||No (independent) agency has responsibility for data protection|
|Data typically remains within the data protection boundaries of a country||Data is transmitted worldwide with no limitations and stored “somewhere” as needed|
|Penalties and orders, regulatory approach||“Blame and shame” process (virtual pillory in case of violations), pragmatic approach|
|Agencies must be informed immediately when sensitive data is at risk||Internal attempts to fix data leaks first, before an agency needs to be involved|
|Laws are applied regardless of any possible encryption||Unencrypted data is rarely considered worthy of protection|
In the USA, the interests of companies and security agencies are protected above all, and data protection is treated relatively carelessly in practice. The EU, and Germany in particular, focus on the rights of individuals and data protection is considered a fundamental human right.
Data protection and security
So what do you need to consider in order to be on the right side of the law?
First of all, you need to decide precisely which provider you will trust to work with you to protect your internal company data. To do so, you should ask the following questions when selecting your cloud provider:
- Is the provider located in the EU, or even better, in Germany? The laws that apply in this country are often simply not familiar (enough) to providers in other countries. Nevertheless, as a company owner you are responsible for compliance when it comes to your customers’ data.
- Can the intended solution also function without an active Internet connection?
- Is the data encrypted for transmission? What standard is it based on?
- Is the transmission of data limited to only what is absolutely necessary?
- Is the data encrypted whenever it is saved by the provider? What security standard is used?
- Does the provider have an interest in keeping your data secure, or might it benefit from the data that you upload (for advertising, tracking, selling data, spying?)
- Can it guarantee that it works to the new EU-GDPR (2018) and will help you with compliance?
If you have made user data accessible in a public cloud, and it has potentially been transmitted to other countries outside the EU, you will most probably be in violation of the law no later than the middle of 2018. If the provider there is not able, or refuses, to work to the EU standard, then you might even be required to request that the data be deleted and enforce that request. This cannot only take a lot of time in some cases, but it can also become very expensive.
What to do if relocation is necessary?
If you have already saved your data on servers whose operators may not work to applicable EU law, we recommend taking the following steps:
- Clarify which data has already been transmitted where, and to what extent you can replace the current solution with a cloud located in Germany.
- Identify the prerequisites for an appropriate level of data protection under the new EU regulation.
- If you decide to use cloudplan: have one of our consultants present a customised solution for you and install it at your location if desired.
- Test the solution(s) with real data.
- Transfer back the data stored elsewhere out of the clouds and onto your own systems.
- Load particular, non-sensitive data to a public cloud, if desired.
- Request that your previous provider deletes the existing data, referencing applicable EU data protection law (so-called revocation of consent).
- Also request that the provider deletes the data completely from third-party systems, or confirms that your data has not fallen into the hands of any third parties.
- Have all deletion procedures confirmed in writing once they are complete and search for parts of the data on Google, for example, in order to check.
Cloudplan is happy to help you with the execution of such deletion and transfer procedures and will provide individual advice on what procedure makes the most sense in your case.
The handling of data and the cloud is similar to your company’s vehicle fleet. You make it available to your employees and engage third parties to performance maintenance and service. It would be more than aggravating if employees of the maintenance company were to take and copy confidential documents from the vehicles, or if the vehicles were used off-road, outside of their specified use. If you and your service provider not only speak the same language when it comes to data protection, but also are in the same boat with regard to potential liability questions, then your risk remains minimal. So, put your trust only in those cloud solutions that meet the latest EU standard and contact us today.