Development and Managed Hosting

Is my service provider GDPR-compliant?

Written on February 26, 2018 by Lucia Schöpfer

The bugbear that is the GDPR is hovering close by. May 2018 is the date on everyone’s lips: The new EU guidelines on the protection of personal data are about to come into force. A good thing, of course, since, at the end of the day, our data is one of the most valuable commodities of the 21st century. However, the bugbear title is especially apt given the drastically increased penalties that will now be applied in the event of non-compliance. No wonder then that everyone is a little bit apprehensive: In order to comply with the new regulation, what needs to be considered and what can be done to ensure that nothing slips through the cracks?

We get asked the following question over and over: To what extent can the service provider help to ensure compliance with the General Data Protection Regulation and what aspects on the hosting side need to be looked at, especially in the area of virtual systems (clouds)? We asked Anexia’s data protection expert, Christian Maciossek (Head of Transition & Service Design), to give us some insight into these matters.

IT Trends 2018 Christian Maciossek

Christian, what is the GDPR and what changes does it bring with it?
The GDPR is the European Union’s new data protection guideline, which is set to come into force in May 2018 after a two-year transition period. The GDPR aims to protect personal data and ensure consistency of regulation across Europe. Data protection law in Germany and Austria, in particular, is already very strict; not a whole lot is expected to change in these two countries as a result.

What are the challenges facing service providers such as Anexia?
It is incumbent upon service providers such as Anexia to ensure a very high level of security. For us this means that both our own data centers and those of our partners must meet the high security requirements that we set. We guarantee this through, among other things, ISO 27001 and 9001 certifications, which have helped lay the foundation for compliance with the GDPR.
In addition, we’ve added to our security portfolio through the acquisition of SSP Europe. We are now in a position to offer our customers a broad spectrum in order to safeguard their systems. At the same time, we endeavor to identify DDoS attacks and other similar threats to our data centers at an early stage. For this purpose, we’ve greatly expanded our network with the Backbone Europe project.

What does the GDPR mean for our customers?
In unmanaged situations, in particular, our customers need to ensure GDPR compliance themselves. It’s like hiring a car: we ensure that the car has a TÜV certificate, is in safe condition and has been serviced. However, we cannot prevent someone from driving it too fast. And it’s a similar story with personal data, for example, when using virtual machines (VM): Here, we work with a container system. We know that a container exists, but we don’t always know what the content is. That is why it is important that our customers, especially in unmanaged situations, and in some respects also the customers of our customers, familiarize themselves with the current data protection laws.

What information is available on the GDPR?
If you are looking for information on the GDPR, you can find it on the website of the BSI, the Federal Office for Information Security. There you can find useful information regarding which rules are to be implemented: What type of hard disk encryption is recommended? How long and how complex should passwords be? And so on.
As very strict data protection laws have been in place in Germany for some time now, the German BSI has got some excellent tips on protecting personal data.

What does the GDPR mean in terms of cooperation with the USA?
This is a fascinating topic. Indeed, the agreement with the USA will now also change as a result of introducing these new rules: The Safe Harbour Agreement is rendered obsolete by the new GDPR and is now called the Privacy Shield. However, the treatment of personal data in the USA and in Europe remains a sensitive issue. This is highlighted, for example, in the decision-making of market leaders such as IBM. There, at the start of the year, it was decided to separate the European and US clouds and to put in place two operating teams. This ensures that no IBM employee in the USA has access to systems of European customers.
This is also a hot topic for our customers of the Anexia World Wide Cloud (WWC). However, we can guarantee: With our teams of operations, based in Germany and Austria, Anexia ensures that our staff, our Anexians, are fully clued-up on the General Data Protection Regulation and that the personal data is protected to the best of our ability.

We are happy to answer any further questions you might have on the GDPR and on the responsibility now assumed by your service provider: