With the General Data Protection Regulation (GDPR), the European Union has created the legal foundations for a uniform digital single market. Its 99 articles introduce countless new obligations for companies, while giving EU citizens more protective rights for their data. The obligation to produce supporting documents, privacy by design, the right to be forgotten and the obligation to notify data breaches – there is a long list of conditions, and companies must act swiftly to comply with the new rules. As well as obligations and risks, however, the General Data Protection Regulation also creates opportunities: a uniform legal framework offers better prospects for establishing new business models across Europe.
"It's time to act. There is no way around it, because the deadline will definitely not be extended any further”, warns Jan Philipp Albrecht. The European Parliament’s rapporteur on the General Data Protection Regulation is urging companies to address the new data privacy regulations without delay. Once the more stringent provisions of the General Data Protection Regulation come into force in May 2018, breaches will be liable to hefty fines.
Data privacy breaches will be costly
Any companies that fail to observe the regulations on the storage and processing of personal data face fines of 20 million euros, or up to four percent of their gross global sales. Despite this, a recent survey by the industry association Bitkom found that one-third of companies have yet to address this issue at all, and only 13 percent have adopted or implemented initial measures. Hence, it would seem that the majority of German companies are not prepared for the GDPR. Many companies will have to introduce new technical/organizational measures and data handling procedures, train and sensitize personnel in data privacy, and implement new software and processes, for example with regard to data management and compliance management.
Are cloud services compliant with the new data privacy law?
Among companies, IT departments in particular are under the spotlight, faced with deciding whether the use of cloud services is data privacy-compliant. The answer? It depends. Firstly, data privacy regulations such as the General Data Protection Regulation only apply to personal data, although this now affects the majority of applications.
Secondly, the offerings of the numerous cloud providers differ in several respects. For public cloud services and software-as-a-service offerings in particular, the physical location of the data center and the country that manages the cloud services are pivotal. Whether or not personal data leaves Germany and/or the European Union is the key issue here. This is the case as soon as the data appears on a support employee’s screen outside of the European Union.
Open Telekom Cloud is compliant with the General Data Protection Regulation
Deutsche Telekom and T-Systems designed their public cloud offering with a view to the stringent requirements of the General Data Protection Regulation, in order to give companies security: The Open Telekom Cloud already meets all the requirements of the Federal Data Protection Act, as confirmed by the data privacy organization Stiftung Datenschutz, which awarded it the recognized “Trusted Cloud Data Privacy Profile (TCDP 1.0)” certificate. In future, this seal of quality will be aligned with the requirements of the GDPR, and the Open Telekom Cloud is of course expected to satisfy these requirements.