Professional Documents
Culture Documents
Cloud and GDPR Whitepaper
Cloud and GDPR Whitepaper
1
https://www.gartner.com/en/documents/4004076
2
https://www.capgemini.com/resources/the-cloud-imperative-for-telcos-data-analytics/
3
https://www.reuters.com/article/us-tech-cyber-microsoft-idUSKBN15A1GA and more recently:
https://www.engadget.com/google-microsoft-billion-invest-cybersecurity-us-biden-231242040.html
4
https://www.capgemini.com/research/the-data-powered-enterprise/
Following the Schrems II ruling, organizations cannot anymore base their data transfers to the US solely on
transfer mechanisms (e.g. contractual clauses); they must ensure that measures are implemented in order to
mitigate the impact of legislations which may enable public authorities to request access to data including
personal data. As such, organizations must carry out assessments on a case-by-case basis and document them, to
ensure an adequate level of protection in case of existing or potential transfer of data to a third country.9
There are multiple reasons why the Schrems II ruling is challenging for organizations. Firstly, the ruling resulted in
legal uncertainty, and thus organizations were seeking further clarifications and guidelines from the European
data protection authorities. In particular, organisations were waiting for guidance as to what are the different
steps companies need to take when transferring personal data on the basis of SCCs or the BCRs, in the new
context. The EDPB has published on 18 June 2021 its ‘Recommendations 01/2020 on measures that supplement
transfer tools to ensure compliance with the EU level of protection of personal data’.
Secondly, further to this decision, many organizations may have realised that they need to have a better
knowledge of the data transferred on their behalf.
Finally, stopping a migration to the cloud might not be the best and safest answer even with regards to data
privacy. Moving to the cloud is a chance for organizations to improve the overall level of security of their IT
environment, and mitigate other potential security and privacy risks by implementing Security and Privacy by
Design from the start. As such, this is a question of balancing between different risks and requirements.
10 CNPD - Deliberação/2021/533
11 BayLDA - LDA-1085.1-12159/20-IDV
12 CE - 450163
Whatever measures you decide to implement, always keep in mind that you should verify the effectiveness of the
measures. Using a methodical, standardized way to assess the use of these Cloud Services will benefit your
organization in terms of speed, effectiveness, and level of compliance. Maintaining documentation also enables
you to demonstrate that you carefully considered all aspects related to data protection. See below a brief
summary of the most relevant aspects of the EDPB as visualized in the steps above and other means which we
think can be used to complement the approach suggested by the EDPB. See more on Capgemini’s way to tackle
these challenges in the Capgemini Approach section below.
clauses-scc/standard-contractual-clauses-international-transfers_en
15 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-
clauses-scc_en
16 https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847
17 Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection
of personal data, p.36
18 Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection
A good example of Service that appears to enable organizations to meet this requirement is Microsoft Double
Key Encryption (“DKE”). It uses two keys to protect data; one key in your control and a second key stored
securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys.
An organization can use DKE encryption in Office 365 to ensure that data is not readable by Microsoft. This
does mean that this limits some of the functionality within Office 365.
With an External Key Manager in Google Cloud security architecture, you can use an external provider to
protect some of your Google Cloud services, such as BigQuery and Compute Engine. Typically, the Hardware
Security Modules (HSM) as a service from well-known security firm Thales is certified to be compatible with
Google Cloud – this is important as Thales is a European company, locating its infrastructures in Europe and
used to work in high security environment such as Defence.
Pseudonymized Data
When using a CSP for certain processing activities such as data analytics, you might be able to replace identifiers
with scrambled and/or aggregated versions, thus making it impossible to get back to the original identities. Under
certain boundaries, this can still allow statistical analysis and machine model training, for instance. When using
pseudonymisation, the data exporter replaces identifiers with pseudonyms, and keeps the original identifier at a
distinct location. For pseudonymisation to be effective, the following conditions should be satisfied and
documented:
▪ Personal data can no longer be attributed to a specific data subject, nor allow to single out a data subject in a
group without the use of additional information;
▪ The additional information is held exclusively by the data exporter and kept separate, or is completely erased
if not needed;
▪ Disclosure or unauthorized use of that alternative information is prevented by appropriate technical or
organizational measures;
19 https://confidentialcomputing.io/
A telecom operator wishes to perform statistical analysis on consumption data (Call Data Records, or CDRs)
from their customers, using a cloud-based AI platform. Transferring CDRs as-is would mean revealing personal
and sensitive data. They have chosen to pseudonymize them: replacing the customer id and phone numbers by
one-way hashes.
Then if the operator wants to be able to use the insights derived from the analysis (identify risk of churn, or
potential fraud for instance), they can reconciliate the insights with a table of hashes to real numbers kept on
their on-premise platform. If the analysis is only for statistical purpose, this mapping is not even necessary.
Multi-party processing
Multi-party processing requires a Data Exporter to split data in such way that no part an individual processor
receives suffices to reconstruct the data in whole or in part. The Data Exporter splits the data before transmission
to distinct processors and merges the results after receiving them back. The final result could constitute personal
or aggregated data. If a data exporter wishes to use this technology, it should ensure the following requirements
are met:
▪ The data exporter must split the data in two or more parts, each of which can no longer be interpreted or
attributed to a specific individual without the use of additional information;
▪ Each piece is transferred to a different processor in a different jurisdiction;
▪ Optionally: the processors process the data jointly, e.g. using Multi-Party Computing (“MPC”) in a way that no
new information is revealed;
▪ The algorithm used is secure against active adversaries;
▪ There is no evidence of collaboration between public authorities in the different jurisdictions, or evidence that
public authorities in one of the countries is able to use its power in both jurisdictions;
▪ The Controller has established by means of a thorough analysis of the data in question that the pieces of
personal data it transmits cannot be attributed to an identified or identifiable individual.
A real-life application of multi-party processing can be found in Denmark, for auctioning on sugar beets
between beet farmers and Danisco, the only beet processor on the Danish market 1. Farmers have to make
offers for volume and prices, and then the market price and volumes are determined based on market demand.
Farmers do not want to reveal their economic positions and productivities, especially to Danisco, and having a
third party as auctioneer would be risky and expensive.
Starting in 2008, a multi-party cryptographic processing between Danisco, the beet farmers’ association and
the European public tenders office was used to obtain cooperatively an optimal market place without any party
having the view on all the offers.
20 https://homomorphicencryption.org/introduction/
21 http://researchers.lille.inria.fr/abellet/talks/federated_learning_introduction.pdf
22 https://ai.googleblog.com/2017/04/federated-learning-collaborative.html
23 https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Manage
ment%20and%20Control.pdf#:~:text=In%20the%20Three%20Lines%20of,independent%20assurance%20is%20the%20thi
rd
Capgemini has developed a methodology combining a variety of subject matter expertise in order to help
organizations in making confident and well-informed decisions, fitting their situation, maturity level and sector.
With a multidisciplinary team consisting of all relevant expertise, we can carry out all steps of our methodology
within a relatively short period of time. In three steps Capgemini aims at helping organizations to move forward
in a manner they feel comfortable with. By taking a risk-based approach, we assist organizations to focus on the
most important challenges they are facing, while improving their maturity level for the future.
First, we start with identifying and analysing the environment. This can be both the current IT landscape, that is
scheduled to be moved to the cloud, together with the modernization plan, plus systems and services that have
already been moved to the cloud. Based on the information collected during this phase, we analyse the risks at
stake at different levels. This assists organizations in tackling the highest risks first.
In practice it can be difficult for organizations to maintain all this information in a properly managed overview that
is updated regularly. As such, we often need to involve multiple stakeholders and/or sources to get a complete
view. Below are some examples of the sources that the Capgemini team will use for input.
Depending on the agreed scope, the outcome of this stage is an overview of systems which might be involved in
cross-border transfer of personal data, the relevant factors impacting the level of risk, a risk level, and if needed
a prioritization. In addition, we provide a management report including a general overview of our observations,
findings and risks identified during our mapping and prioritization phase, and recommendations on how to address
these issues in the future.
This step provides senior management with a general understanding of the impact of Schrems II on their
organization and the number of services impacted by it. Moreover, they have a better understanding of the
potential risks. Having an initial overview of the current situation enables you to address the biggest issues first.
This way Senior Management can make an informed decision on the scope and next steps.
– Information required to analyse the specific risks related to the respective data transfer. This includes
for example a good understanding of the legal system of the country in scope, the protection of
fundamental rights of citizens and other individuals. This may also include data available on corruption,
court decisions, and other sources that can be considered as relevant and trustworthy
– In depth understanding of the data transferred to the respective countries and their state
(pseudonymized, encrypted, etc.)
– A clear view on the end-to-end data lifecycle enabling us to understand which additional measures
could be taken, prior to the data transfer
– First, identify all potential risks for the data subjects due to the cross-border data transfer
– Second, we review the end-to-end processing activity to assess what measures are needed to mitigate
these data protection risks. These measures can be commercial (terms and conditions with suppliers),
organizational (setting up specific process with vendors and internal teams), technical (implementing
additional encryption devices).
– Finally, we produce a report in which we provide a clear overview of the risks, recommended measures
(and potential residual risks), and optionally an estimation of the costs to mitigate the risks.
Additionally, we can also help organizations to explore alternative solutions
Email: yannick.martel@capgemini.com
https://www.linkedin.com/in/ymartel/
Robert Kreuger
Email: robert.kreuger@capgemini.com
https://www.linkedin.com/in/robert-
kreuger-b3584324/
About Capgemini
Capgemini is a global leader in partnering with companies to transform and
manage their business by harnessing the power of technology. The Group is
guided everyday by its purpose of unleashing human energy through technology
for an inclusive and sustainable future. It is a responsible and diverse organization
of 290,000 team members in nearly 50 countries. With its strong 50 year heritage
and deep industry expertise, Capgemini is trusted by its clients to address the
entire breadth of their business needs, from strategy and design to operations,
fueled by the fast evolving and innovative world of cloud, data, AI, connectivity,
software, digital engineering and platforms. The Group reported in 2020 global
revenues of €16 billion.