Rainer Schneemayer gives tips on data protection in the Cloud
Data protection is currently the predominant topic in the field of IT security. Companies are faced with the question of how to store their data so that they can fullfill the conditions of the GDPR (Basic Data Protection Regulation). Not only the storage is relevant, but also the type of transmission and processing and, of course, the rapid and complete recovery from data loss.
It makes sense not only to look at individual areas of IT with regard to data protection, but also to examine the whole IT concept of the company and to analyse all phases of the data generation, e.g. via the website, from storage to use.
Which data is affected?
The DSGVO regulates the handling of all personal data, the storage or archiving of which does not have to be based on statutory provisions. So if you are, for example, Collecting people’s names and e-mail addresses via your website, saving employee or customer data, or creating a directory of their former customers, you are required to comply with the provisions of the GDPR. It is also important that if the storage of the data does not prove compelling on the basis of a contractual relationship, you as the contractor must state the purpose of the storage. Every single person must have demonstrably given their consent.
Which areas are affected?
As already briefly mentioned, the GDPR concerns all areas of electronic data processing.
- First, the physical security of the servers must be ensured. This means in the broadest sense that servers must be housed so that they are not endangered by fire, power failure, etc. and that no unauthorized persons may have access to them.
- Second, the transfer of data must be encrypted. This nobody can read the data.
- Third, storage should take place in high-security storage so that data can not be stolen.
- Fourth, a backup of the data must be made, that in case of data loss these can be guaranteed to be restored.
IT (cloud) provider has key position
The first step in the direction of data security is therefore to be convinced of the compliance of the cloud provider, especially in hybrid and public cloud scenarios. This is given if the provider behaves in accordance with the DSGVO regulations and has appropriate certificates. A competent cloud provider will always provide a concept to all of the above four points. We at Timewarp always start with a thorough analysis of the current situation and identifying potential vulnerabilities or vulnerabilities. Then, together with the customer, we design goals for the individual areas and an action plan for implementation. This catalog of measures forms the basis for comprehensive documentation within the meaning of the GDPR.
The penalties provided for in the GDPR are very high (up to € 20 million or 4% of Group sales, whichever is higher) and can well take on a degree of existential risk. Another precarious point from the company’s point of view is the reversal of the burden of proof. In the event of a legal dispute, companies must prove that they have taken all necessary measures to protect the data. Not least because of this, the compliance of the cloud provider is of central importance and the documentation of the individual steps to implement the data protection measures.