From the perspective of a website owner or online service provider the GDPR looks lika a monster. On the other hand it gives private users as well as companies more control over their sensitive data and -hopefully – the data security will further improve with this law.
But there is a new annoying and mostly expensive issue now for many companies located in the EU: With the GDPR it becomes almost impossible to use software which isn’t self-hosted.
In July the commissioner for data protection of the German state Hesse stated, that public schools shall no longer use Microsoft 365 and even doubted that any product of Microsoft is suitable for public education. ZDnet published an article about the commissioners concerns. Not only sending telemetry data to Microsoft makes MS 365 incompatible with the GDPR, since pupils are not able to give their consent about a license product used by hundreds of people. Main issue is the US CLOUD Act: this US law enables US authorities to get access to any data stored on servers worldwide as long as they are owned by American companies. For European users there is the following conflict: Any (American) company which doesn‘t allow self-hosting of their software products and is using e.g. Amazon web services (AWS) to store sensitive data is violating the GDPR.
Read the whole text on the ZDnet website.
Slack for example uses Amazon Web Services and is even introduced as a Case Study on the AWS website. This does not comply with the GDPR and companies should look for software alternatives to Slack, Skype or Office 365. According to the CLOUD Act, the authorities can even prohibit service providers from passing on information about their searches to their customers. What exactly is considered a security-relevant search, however, is formulated here very vague. And even if the GDPR leaves a gap for the search when a mutual assistance agreement exists between countries, companies are on the safe side if they take their data completely into their own hands.
Years will pass before there is a European cloud solution that fully complies with the GDPR. During this time, companies that continue to stick to their existing solutions risk high fines.
It is time for companies to look for alternatives to Slack, Office 365, WhatsApp, and other vendors who generally store their data outside the EU, especially when dealing with sensitive data.
Data security and data sovereignty should be checked carefully!
With VNClagoon, VNC built a software stack which is not only completely modular, but also solves the hosting conflict: VNClagoon can be hosted on-premise as well as in a data center of the customers choice. Therefor it is under complete control of the company and protected from the CLOUD Act. From emails to phone and video conferencing, project management via calendar and task management, and a social intranet, VNClagoon offers a fully modular system that can be tailored to the needs of any business and grows as needed.