Use of the cloud is booming worldwide, and with this comes an abundance of cloud service providers and certifications. The current market is a jungle of offers and certifications. At the same time, new requirements are arising through the forthcoming EU General Data Protection Regulation. As a result, the research project “AUDITOR – European Cloud Service Data Protection Certification” wants to create clarity and greater legal certainty, and – based on the preliminary work carried out through the „Trusted Cloud“ technology program – to develop a unified, Europe-wide certification integrating the established norms. To this end, an interdisciplinary team of researchers and companies is developing a data protection certification for cloud service based on the new EU General Data protection Regulation, which is intended to become the standard across Europe.
The objective of the research project “AUDITOR” is the conception, exemplary implementation, and testing of an enduring EU-wide data protection certification for cloud services. The certification in accordance with the EU General Data Protection Regulation (GDPR) is in the interests of everyone involved: the cloud customers, who are only permitted to work with cloud providers that can guarantee a sufficient level of data protection, the cloud providers, who can offer just this security with such a certification, the auditing and certification bodies, for whose business area the GDPR stipulates strict laws, and the end-user, potentially affected by the data usage, the protection of whose personal data is in the focus of certifications of cloud services.
In order to conceptualize an enduring data protection certification, the first step is to develop a catalog of criteria for the certification of cloud services in accordance with the GDPR, as well as pursuing an appropriate standardization in the form of a DIN (German industry norm) specification. This DIN specification forms the foundation for the European norm and the development of a data protection certification process which is recognized EU-wide. Against the backdrop of the European single market, this is very important to find a harmonized approach for the usage of cloud services in Europe. A first version of the catalog of criteria will be made public in April 2018, with further adjustments based on the results of the following field test and stakeholder consultations.
Along with this, suitable organizational structures and processes for the intended certification will be conceptualized. This includes, in particular, the specification of modular certification and audit processes that take international standards into account. In order to ensure long-term usage and broad dissemination of AUDITOR, ultimately, the business models for the enduring success of the AUDITOR processes will be examined. The certification processes developed in the AUDITOR project and the criteria prepared for standardization are then to be tested in practice and validated during the course of the project.
“The goal of the AUDITOR project is to improve the comparability of cloud services which are offered by companies located in different EU member states, and in this way to create transparency. This is above all beneficial for SMEs, but also for large companies, because new market potential can be opened up on the basis of an enduringly applicable EU-wide data protection certification for cloud services in accordance with the GDPR. Our work on further developing and substantially improving the certification of cloud services is in the interests of all players in the market,” according to Prof. Dr. Ali Sunyaev (Director at the Research Center for Information System Design (ITeG) at the University of Kassel).
The following institutions and organizations are involved in the project.
University of Kassel, subject areas Business Informatics and Systems Development
CLOUD&HEAT Technologies GmbH;
datenschutz cert GmbH;
DIN-Normenausschuss Informationstechnik und Anwendungen (NIA), DIN e.V.;
EuroCloud Deutschland_eco e.V., eco – Verband der Internetwirtschaft;
University of Kassel, subject area Public Law, with a focus on Technology Law and Environmental Law, Project Group for the Constitutionally Compliant Design of Technology (provet)
German Federal Office for Information Security (BSI);
Fabasoft Austria GmbH;
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft;
SCOPE Europe b.v.b.a/s.p.r.l.;
Competency Network Trusted Cloud e.V.;
TÜV Informationstechnik GmbH;
Independent State Center for Data Protection, Schleswig-Holstein;
VOICE-Bundesverband der IT-Anwender e. V.