Data protection plays an increasingly important role in companies. Particularly since the introduction of the GDPR in May 2018, a large body of rules must be observed to ensure that personal or other sensitive data in particular are stored and processed correctly.
In the course of this, software tools that are already in use in companies should also be checked for their conformity. Anyone using or planning to use cloud applications must also pay close attention to data protection. According to a press release by Bitkom Research on the subject of "Cloud use at record levels in companies", almost all companies (90 percent) state that it is indispensable for compliance with the basic data protection regulation for cloud solutions. For eight out of ten (79 percent) a transparent security architecture is essential, three quarters (76 percent) see the integration capability of the solutions as a must-have. Cloud users and planners are also concerned with the question of location. For two-thirds each, the headquarters of the cloud provider (67 percent) and the data center must be located in the legal territory of the EU (66 percent).
Particularly when using Microsoft products, users encounter considerable problems at the latest on second glance, because according to current estimates, data storage poses high risks. This is also confirmed by a data protection impact assessment (DSFA) carried out by Privacy Company on behalf of the Dutch Ministry of Justice and Security.
>>> The results are alarming: Microsoft collects and stores personal data on the behavior of individuals on a large scale without publicly documenting it - and thus violates the GDPR.
>>> As Microsoft Office is the most common data processing software, it is difficult as a user to check exactly where the data is stored and to demand that it be stored in compliance with GDPR only in Germany. But at least the decision where the processed data is stored is in the hands of the companies - therefore especially companies have to check exactly which storage service they use to secure their data to the maximum.
When using Microsoft OneDrive, extreme caution is required. OneDrive, as a storage solution from Microsoft and part of the Office package, offers generous free storage, but is this service really "free"? Or do you pay for it with your data?
Even in the private sphere you scroll quickly through the collection of legal details you agree to without having really read them. In the B2B area, one usually pays more attention to the contents, but here too there is still a lot of catching up to do. After all, every service usually accesses far more in the background than users would ever suspect. Here, all files processed or stored in a free service such as OneDrive are quickly used to improve machine learning, offer personalized products and targeted advertising, or even to supply service providers and comply with instructions from authorities. All that "nicely packaged" in small print.
Also, if access is automated and controlled by AI, one must not forget that behind these applications are people who program the algorithms and ultimately evaluate them. And for this they can and must access your data. Therefore, it cannot be ruled out that this access may be misused by a Microsoft employee, one of the partners or service providers. Because any unauthorized access poses a security risk to you.
According to a report on heise.de, Michael Ronellenfitsch, the data protection commissioner of the state of Hesse, recently warned that the data stored in the cloud with the office package could be accessed in the USA. He came to this conclusion because personal data of children and teachers would be stored in the cloud. Even if the corresponding servers are located in Europe, the information is "exposed to possible access by US authorities".
In his opinion, public institutions in Germany have a special responsibility with regard to the permissibility and traceability of the processing of personal data. In addition, the digital sovereignty of state data processing must be guaranteed.
"A frequent criticism of the supervisory authorities is that it cannot always be guaranteed that access to files stored in such systems is only granted by authorised persons", says Christian Volkmer, data protection expert and managing director of Projekt 29 GmbH & Co. KG.
>>> Otherwise, many school institutions in the Upper Palatinate are already solving this problem. Instead of storing the data in the cloud via a Microsoft solution they use the secure enterprise file sharing solution DRACOON. "Made and hosted in Germany" DRACOON offers a data protection compliant option to exchange sensitive data securely and easily. The file service has a detailed role and rights concept and can be quickly adapted to the given structures.
From a data protection perspective, the use of cloud services is associated with certain risks. Storing data on Internet-based storage media with an external service provider requires compliance with special data protection-compliant conditions. With cloud computing, companies no longer store their applications and data in their own data center, but with a contracted provider whose services can be accessed via the public Internet. This saves companies the purchase and administration of their own hardware and software and they no longer need to operate their own IT infrastructures. This saves costs, but at the same time creates risks in terms of data protection and data security. These are given by the fact that the shared IT components in the cloud can in principle be accessed by everyone via the Internet and are only protected by an access procedure (user name and password as well as encryption techniques).
Furthermore, security gaps can allow unauthorized access to the company's data stocks. All of these vulnerabilities may lead to subsequent problems:
When using cloud services, several parties are contractually bound to each other, each of which has an influence on data protection aspects. This creates relationships not only between the cloud provider and the cloud user, but also between the cloud user and his business partners and customers, whose data protection rights are also affected. In principle, data protection requirements can only be met if the cloud provider can offer a specified level of technical data security. This is determined by the hardware and software of the service provider. Encryption technologies for data and access, authentication methods and also firewall components are used. In addition, organizational security regulates the protection of physical access to the cloud provider's IT components.
In addition to providing the technical requirements for data security, cloud providers must also comply with legal data protection requirements. These are regulated EU-wide by the GDPR. What is important here is the legal fact that in cloud computing the cloud user as a company is responsible for data security in relation to its customers. Details between the cloud provider and the cloud user are regulated in a contract for commissioned data processing. The cloud user should have compliance with contractually guaranteed requirements guaranteed, for example, by means of data protection certification. The cloud customer remains the owner of his data, which is by no means a matter of course with some cloud services.
If a company stores its customers' data with a cloud provider, for example in the USA, data protection regulations can be violated. US cloud providers are required by law to deliver customer data to US authorities on request. In these cases, the EU GDPR no longer applies and supplementary agreements must be made with the provider. For example, cloud providers in the United States must ensure that they meet the requirements of the EU-US privacy shield. In this data protection compliance, the US government assures that the local data protection level will be maintained in data exchange with Europe. Whether this will prevent the transfer of data to US authorities may be doubted. It is therefore advisable in any case to use European cloud providers who operate their data centers within the EU.
Every company faces the challenge of storing, managing and sharing data digitally in a secure manner. With its highly secure and platform independent Enterprise File Service DRACOON offers its users maximum flexibility - and at the same time a 100% GDPR compliant solution. Thus, customers regain sovereignty over their data. The product was developed according to the principle "Privacy by Design". This means that data security and data protection were already taken into account during the development of the software.
Due to the client-side encryption, the data sovereignty lies exclusively with the user. Not even DRACOON itself as provider has the possibility to access stored information or scan it for further purposes.
DRACOON exclusively uses German and European data centres. Therefore data access by foreign authorities - also for investigation purposes - is excluded. Also no data transfer to third parties takes place.
The solution has already been described as "Leader" by independent top analysts such as ISG. But also various certificates and seals such as ISO27001, EuroPriSe and the BSI C5-Testat repeatedly prove the high security level. With its service, it integrates itself deeply into the company processes and thus provides a maximum protected cocoon for your data - and every connected application.
With DRACOON you use a completely secure and GDPR compliant environment to store, manage and share your data.
These Stories on Compliance, Data Privacy & GDPR
© 2023 DRACOON GmbH
Made in Germany
Phone. +49 (941) 7 83 85-0