An article by Claus-Dieter Ulmer, Global Data Privacy Officer and Senior Vice President Group Privacy.
During the coronavirus pandemic, cloud services of all kinds have been in demand like never before. Videoconferences, e-learning platforms and storage services in the cloud make working from home and home schooling possible so we can stay in touch despite the distance. Many consumers and companies alike have to decide, sometimes for the first time, what services to sign up for. Many digital offerings already implement exemplary data protection and data security. Unfortunately, it's a mixed bag. And it is not always easy to make the right choice of data protection-friendly services.
This is despite the fact that Europe's General Data Protection Regulation (GDPR) ensures that European services at the least must guarantee a high level of data protection. However, consumers still rarely recognize at first glance where a service comes from. Data protection notices are often complicated and, being honest, very few people bother to read them. Clear labelling could help. Something like a German TÜV seal. An official logo certifying GDPR standards, checking and confirming that data protection provisions are being fulfilled.
And it is not just consumers who are guided by this sort of certificates. Our corporate customers place the highest value on data protection. Being able to certify our cloud solutions would offer customers additional certainty. And give European products a competitive advantage over international suppliers.
AUDITOR standard as data protection certificate
In collaboration with industry and science, the German Federal Ministry for Economic Affairs and Energy has developed a standard for a certification for GDPR-compliant cloud services. Deutsche Telekom was also involved in the development process. The AUDITOR standard has been ready since last autumn. Under this data protection certificate, an external inspection body (for example DEKRA or TÜV) checks and confirms compliance with the requirements. All that is missing is for this standard to be recognized by the German accreditation and supervisory authorities. Four years ago, the Federal Ministry for Economic Affairs and Energy launched the Trusted Cloud initiative to develop a data protection certificate for cloud services. The Trusted Cloud data protection profile was first developed by partners in industry and science, followed by the AUDITOR standard. However, the authorities have still to develop matching test criteria for these standards. If German cloud products are to remain competitive in the long term, we need the regulatory authorities to move quickly towards recognition.
I consider it imperative that German authorities now come up with results at long last. Amidst the coronavirus crisis, adults, children and young people are all chiefly working and learning using digital cloud services. Whole branches of industry have moved to home-based offices and are sharing more data online than ever. The world is in the midst of a push towards digitalization. We must not let this moment go by without also enhancing data protection. In the interest of data protection, we now need reliable certifications.
Cooperation with GAIA-X
We must not miss this opportunity to create a competitive advantage for Europe. This is why it is good that AUDITOR is cooperating with "GAIA-X", a European cloud project under the auspices of the German Federal Ministry of Economic Affairs. GAIA-X is a project to set up high-performing, competitive, secure, and trustworthy data infrastructure in Europe. The first point mentioned in the GAIA-X preamble is compliance with European data protection rules. It is thus essential that a relevant data protection certification can be applied. The GAIA-X project's "Certification" working group sees a GDPR certification as a prerequisite for GAIA-X network nodes and services designed to carry "substantial" services and process personal data. AUDITOR is currently the most mature European data protection certification project. The cooperation between AUDITOR and GAIA-X is thus an asset for European data protection.
It is a big step forward. Now the certification of cloud services must follow. That is why, as part of a pilot, we are currently certifying Deutsche Telekom’s cloud solutions Open Telekom Cloud and our vCloud services in line with the finalized AUDITOR standard Despite it lacking recognition from the authorities. Moreover, the Open Telekom Cloud served as a prototype for the development of the predecessor standard TCDP, and, as a lighthouse project, was the first German cloud with TCDP data protection and BSI certification. In the interests of data protection, I would like to see the German authorities finish developing their test criteria by the time the pilot certification is completed. The GDPR was an important milestone for data protection in Europe. Two years after its introduction, the time has come for Germany and Europe to introduce data protection certification.