Zivver achieves DCB0129 status for NHS Clinical Safety Risk Assesment
It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement Service, that reports directly to the EU Open Source Observatory.
The European Union (EU) contains 28 countries, and it has some of the most strict sets of data protection regulations in the world. These don’t just affect organizations based in Europe, but anyone who deals with private data of any citizens of those 28 countries.
Organizations which hold this information need to conform to the current EU General Data Protection Regulation (GDPR). The directive includes requirements to keep the data secure; and that the data must not be exported outside the European Union, except to countries or organizations that have signed up to equivalent privacy protection.
A cloud adoption and risk assessment in Europe reports that 74% of cloud service providers used by employees in European organizations do not meet these stipulations entirely, the other 26% do not comply at all. Therefore, any organization using these services ‘as-is’ with privacy-sensitive data could potentially brake the GDPR directive.
GDPR and the Swedish dilemma
As stated by Swedish Government Lawyers public providers in Sweden are not allowed to use US-rooted web-based SaaS products, such as word processors, e-mail or chat services because of US surveillance laws such as the Cloud Act, Executive Order 1233 and Section 702 of the Foreign Intelligence Surveillance Act. These laws conflict with GDPR and therefore vendors that are US-rooted and fall under these laws can not offer enough privacy to their users.
In a study on the use of web-based office support tools, the Swedes could not find any all-around cloud service provider that can offer the public sector a product that is 100% compliant. According to the 'Kammarkollegiet' (founded in 1539 and thus the oldest Swedish civic organization), public services and companies must work together to build solutions that do comply with the European rules. Unfortunately, these solutions are not yet entirely in place in Europe or nowhere else in the world for that matter. Maybe this is the reason why we have not yet seen a massive GDPR enforcement. Although there are European initiatives to address specific areas of GDPR such as email and file sharing protection. At the time of writing, no solution addresses all cloud computing needs (i.e. Google, Microsoft) that are fully GDPR compliant
Possible solutions for the GDPR compliance and cloud computing in Europe issue
The GDPR directive is the most comprehensive set of rules related to individual data privacy, ownership, storage, and distribution in the world. Private data has been used and abused by companies that base their business models on capitalizing on not clearly consented use of private data. The GDPR was put in place to put an end to that, and to stipulate definitions and processes regarding the universal human right to privacy. Most importantly to hold accountable organizations that violate it. Other parts of the world will most likely follow GDPR in the future. In California, US, for example, the California Consumer Privacy Act will become active in 2020, which holds strong resemblance with GDPR.
The general European public welcomed GDPR with open arms, for the most part. However, on the contrary companies within the EU were faced with a considerable challenge. They are now forced to comply with a gigantic set of rules that completely change the way they have been used to operate. To make things even more complicated, many of these rules have no solutions yet. Web-based office support tools are a perfect example of it. Organizations in Europe and around the world have become increasingly dependent on it. Which raises the question: how can a European company that depends on cloud computing be entirely GDPR compliant? Unfortunately, there still is no straightforward answer to this question. Nevertheless, there are ways around it.
To discuss possible solutions, it is first it is important to understand what the problem really is. Basically, it comes down to the following; According to GDPR no-one else than the persons whose data is involved should be allowed to access/see the data without a justified ground to do so. Sounds logical, right? But giving that, this requires that either you store your own data, or you make sure data in the cloud is (properly) encrypted and only you have the keys, or you sign data processing agreements with all parties involved with processing your data. Sounds logical too, right?
Given that, organizations have the following theoretical options in using office support tools like word processors and email programs:
- Not use cloud services and host all data and services yourself. For many organizations, this is just not a realistic option, given the required expertise and significant costs of purchase, installing, maintaining and supporting servers and software. Even discarding the functional limitations that most likely come with these solution.
- Contract European service providers that are fully GDPR compliant and guarantee data storage and processing in a GDPR-compliant data center. This sounds easy but comes with a challenge. The market of Cloud-services is a dynamic market with frequent strategic purchases, predominantly by non-EU parties. This means that, although a provider might be GDPR-compliant now, this could change overnight. This risk can only be mitigated if organizations include a clause in the contract with the service provider that clearly states that a non-EU counterpart will never purchase it. However, whether this is realistic is questionable.
- Contract European service providers that are fully GDPR compliant and use encryption of data that ensure that only those involved have the keys to decrypt the data, so-called asymmetric encryption. This way it doesn’t really matter where data is exactly stored, as decrypting data without keys is not possible. Of course, data needs to be stored in an ISO27001, SOC 2 compliant data center within the EER to mitigate the risk that someone could even access the encrypted data.
Given the above, solution 3 seems the most viable and future proof. However, the Swedes concluded, there is no European player that offer a comprehensive set of office support tools that is GDPR-compliant. This means that being 100% GDPR-compliant, at the time of writing, as a European organization is only possible by a combination of hosting part of your office support tools yourself, e.g. keep on using desktop versions of Microsoft Word, Excel and Outlook, and looking for full-encryption solution providers, e.g. for your e-mail and file-sharing. Because for email and file sharing there are European cloud-based solutions that are GDPR-compliant.
ZIVVER is a secured digital communication solution based in the Netherlands, a country where individual privacy is paramount and regulated; so much so that its rules regarding it served as one of the references for the creation of the GDPR. Additionally, ZIVVER utilizes asymmetric encryption as well as 2-factor authentication for its email and file sharing service making it fully GDPR compliant. For details please download our product sheet at the end of this article.
The bottom line is the understanding of who truly owns the raw digital data. Individuals own the information that the data contains once it is decrypted, the raw data itself belongs to no one. It carries no information besides a string of 0s and 1s that have absolutely no meaning or value whatsoever. Therefore a cloud provider that guarantees the non-holding of private decryption keys poses no threat in regards to data leaks on their part. The combination of a secured digital communication solution and a cloud service that does not hold private keys diminishes considerably the threat of data leakage. Subsequently, providing a protective shield to GDPR repercussions for now, or at least until a fully European GDPR compliant cloud service provider comes into the market.
While it takes time to achieve full GDPR compliance, it is essential for organizations to find the appropriate solutions, at the best of their abilities, to protect private and sensitive data for the long run. Now more than ever, data protection and privacy have global attention, and the world with GDPR will be a proving ground for companies to regain and maintain the trust of their customers. If working with US-rooted, cloud-based office support tools is indeed conflicting with GDPR as the Swedes conclude, the challenge for many organizations is even greater. As European GDPR compliant office support cloud providers do not yet exist, the only logical step is to start with just moving email to a GDPR-compliant provider. Waiting for a full office support provider will probably not be the best strategy. Despite the choice you make, one thing is certain, the GDPR-pressure on organizations and suppliers is officially on.