The GDPR has been on everyone’s lips; not only since the recent ruling on the EU-US Privacy Shield. With a new guide, the EuroCloud member gridscale offers SMEs some orientation in their cooperation with cloud providers. An interview with CEO Henrik Hasenkamp and Marketing Director Jens Wardenbach of the PaaS & IaaS Cloud Hosting Provider from Cologne, Germany.
How did the idea for the guide come about?
Jens Wardenbach: Most of the guides to the GDPR that already exist do not address the actual needs of small and medium-sized enterprises (SMEs). Unfortunately, many of them can only be understood by lawyers or they only consider individual risks that can arise in cross-border cloud computing. According to recent surveys, GDPR compliance is the number one decision criterion – by far – for the transition to the cloud. In cooperation with the commercial law firm Heuking, we have managed to put the topic on paper for business and IT decision makers in a practical, clear and quickly readable style on only about twenty pages. The German-language guide is available for download from our website.
Henrik Hasenkamp: Furthermore, our guide includes matters that have not yet been really addressed. This starts with transparency obligations and liability for damages and goes well beyond tax issues or operational co-determination. For example, works councils and tax offices also have a say in relation to the GDPR and cloud computing – we want to make SMEs aware of this.
Works councils and tax offices: What’s the problem?
Hasenkamp: The works council must agree to any measures that could potentially lead to the monitoring of employees. If existing business software is moved to the cloud, this can be problematic. Theoretically, employees could be monitored via a cloud environment with its log-in processes, log data and information that is stored and evaluated by an intrusion detection system, for example. Businesses must negotiate agreements with their cloud provider to find solutions to this dilemma
Wardenbach: The situation with tax offices is no different. Data that is subject to tax retention obligations must also be retained in Germany by companies that are subject to tax in Germany. Exceptions are possible and can be applied for at the tax offices, but again, these presuppose that the storage then takes place in accordance with the German tax code. It’s all pretty complicated. And we have not even talked about the contradiction between the deletion obligations for personal information on the one hand and the storage obligations of tax-relevant data on the other hand.
Why do questions about the GDPR remain relevant, especially for SMEs?
Hasenkamp: German small and medium-sized enterprises are specialised in their core business. This is what distinguishes these companies which drive the German economy. Digitalisation issues are often driven by the company’s managers themselves. These are seasoned entrepreneurs, but they are not experts in data protection issues. This is exactly where our guide comes in.
Wardenbach: The cloud remains the engine of digital transformation. With the cloud, companies are improving collaboration, becoming more agile, networking, realising digital products and services and further developing their business models. Uncertainty surrounding the legal framework curbs innovation. We make SMEs aware of the typical pitfalls.
And what are these pitfalls?
For example, anyone who processes personal data in the cloud needs to know what they are doing. In practice, far more data can be assigned to a person than many people think. The theoretical possibility alone of being able to establish such a link between information and people is sufficient as a criterion. In the cloud, for example, not only names and email addresses are considered to be personal data, but also data records if they can potentially be related to individuals.
Wardenbach: Technical information such as time stamps and log files are considered personal data, even if they can only be assigned to a person with a certain amount of effort. Companies must have all these things in mind. And not only in SMEs, but also where industries are strictly regulated or compliance requirements must be met.
Can this not be avoided by anonymisation and pseudonymisation?
Hasenkamp: Only those who really make data completely anonymous are on the safe side. This is the case, for example, when statistics are produced. Meaning specifically: ´Turning e.g. the statement “Mr. Smith and Mr. Power liked the product, Ms. Meyer did not like the product” into “66.6% of respondents liked the product”.
Wardenbach: Again, it becomes problematic when clear names are replaced by numbers or the unique serial numbers of devices are stored. Even so-called pseudonyms are personal data because they can still be assigned to an individual.
Hasenkamp: Encryption is not sufficient. Admittedly, users might think that the data is sufficiently anonymous for them and the cloud providers. However, data protection authorities regard encrypted data as pseudonymised data that can still be attributed to a person.
Now the Court of Justice of the European Union has overturned the EU-US Privacy Shield. What is your advice to users?
Hasenkamp: The current situation is once again confronting companies with major legal uncertainty. Those who rely on clouds of US providers, rather than on services from within the European Union, should regulate data exchange via the standard contractual clauses of the European Union. However, this implies an additional burden for companies to assess and conclude these agreements in detail.
Wardenbach: The ruling once again puts the GDPR in the spotlight – not only for users, but also for cloud service providers. The topic of data protection is increasingly becoming an important competitive advantage that can have a positive effect on customers and sales. And the interest in legally compliant and uncomplicated solutions for cloud computing is unbroken, especially among SMEs. The four-digit download numbers of our German-language guide speak for themselves.