With the General Data Protection Regulation (GDPR), the European Union has created the legal foundations for a uniform digital single market. Its 99 articles introduced countless new obligations for companies and gave EU citizens more protective rights for their data. The obligation to produce supporting documents, privacy by design, the right to be forgotten and the obligation to notify data breaches – there is a long list of conditions, and companies needed to act swiftly to comply with the rules. As well as obligations and risks, however, the General Data Protection Regulation also created opportunities: a uniform legal framework offered better prospects for establishing new business models across Europe.
"It's time to act. There is no way around it, because the deadline will definitely not be extended any further”, warned Jan Philipp Albrecht. The European Parliament’s rapporteur on the General Data Protection Regulation was urging companies to address the data privacy regulations without delay. Ever since the more stringent provisions of the General Data Protection Regulation came into force in May 2018, breaches were liable to hefty fines.
Data privacy breaches are costly
Any companies that fail to observe the regulations on the storage and processing of personal data face fines of 20 million euros, or up to four percent of their gross global sales. Despite this, a survey in 2018 by the industry association Bitkom found that one-third of companies have at that time not addressed this issue at all, and only 13 percent have had adopted or implemented initial measures. Hence, it seemed that the majority of German companies were not prepared for the GDPR. Many companies had to introduce new technical/organizational measures and data handling procedures, train and sensitize personnel in data privacy, and implement new software and processes, for example with regard to data management and compliance management.
Are cloud services compliant with the new data privacy law?
Among companies, IT departments in particular are under the spotlight, faced with deciding whether the use of cloud services is data privacy-compliant. The answer? It depends. Firstly, data privacy regulations such as the General Data Protection Regulation only apply to personal data, although this now affects the majority of applications.
Secondly, the offerings of the numerous cloud providers differ in several respects. For public cloud services and software-as-a-service offerings in particular, the physical location of the data center and the country that manages the cloud services are pivotal. Whether or not personal data leaves Germany and/or the European Union is the key issue here. This is the case as soon as the data appears on a support employee’s screen outside of the European Union.
Open Telekom Cloud is compliant with the General Data Protection Regulation
Deutsche Telekom and T-Systems designed their public cloud offering with a view to the stringent requirements of the General Data Protection Regulation, in order to give companies security: The Open Telekom Cloud already meets all the requirements of the Federal Data Protection Act, as confirmed by the data privacy organization Stiftung Datenschutz, which awarded it the recognized “Trusted Cloud Data Privacy Profile (TCDP 1.0)” certificate. This seal of quality aligns with the requirements of the GDPR, and the Open Telekom Cloud satisfies these requirements.