For some years now, there has been a trend for more and more data to be filed and stored on cloud-based servers. Almost all major IT manufacturers offer their customers cloud-based services, such as Apple with the iCloud, Microsoft OneDrive or Azure Cloud, Dropbox Cloud or ERP systems that store their data in the cloud. Cloud-based store and make available. The advantage of cloud-based solutions is the centralized data storage and the ability to access the data from anywhere, provided there is access to the Internet.
However, as always, where there is light, there is also shadow, and cloud systems are no exception. The disadvantages of cloud-based systems are actually quite glaring, as the user hands over control of their data to the cloud provider, which can lead to data loss in the worst case scenario. In the following article, we will show you the characteristics of cloud-based systems as well as the legal regulations and show you how you can set up your own cloud with the same advantages, but without losing control of your data.
From card index boxes to cloud solutions
Until the 1990s, data in companies was often archived on paper and often filed in individual folders in large filing cabinets. For each process, the employee had to walk to the filing cabinet and look for the file for the process. In the best case scenario, the file was in the place where it was supposed to be, but it was not uncommon for files to be sorted incorrectly or to be being processed by another employee and therefore could not be found quickly.
Somewhat later, some companies began to photograph their paper files on microfilm so that they could be read out centrally using a suitable projector. Compared to paper files, this only brought a few advantages at a higher cost. The main disadvantage of both of these old forms of archiving was that the data was only available once in one place and often took a long time to find. But they also had an advantage: the company was the owner of the data and also had sovereignty over its data.
From Word and Excel to the local ERP solution
In the second half of the 1990s, most companies began to store their data centrally on servers, which were then created using programs such as Microsoft Word or Excel or scanned from paper documents. This eliminated the tedious process of searching for paper files in filing systems, but due to the volume of new digital documents, the overview of the documents created was often lost after some time. For a better overview, many companies introduced ERP systems, which were usually stored locally on a computer or on a Server were set up. Even with these solutions, the company had full control over its data, but also had to ensure the security of the data itself, e.g. in the form of backups.
From the information society to the knowledge society
The last century saw the transition from an industrial society to an information society, in which the internet became popular and more information than ever before can be accessed freely within seconds. Today, we are evolving from an information society to a knowledge society, in which sovereignty over the data used is becoming particularly important. Even today, more and more data on the Internet is no longer freely available. Anyone who does not have sovereignty over their data is at the mercy of the provider, in this case the cloud provider, in every respect, because only they have the technical ability to administer your data. This also applies to the security of your data on external servers, which you have neither access to nor any other influence over.
Cloud: Convenient, inflexible and not entirely safe
In recent years, there have been more and more providers on the market offering cloud-based ERP systems. Here, all data is stored on a cloud server provided by the system provider. The advantages are obvious: the set-up time is usually very short and the company can access the data from anywhere in the world. The biggest disadvantage of cloud systems, however, is that the customer no longer has sovereignty over their data and is pushing their data "into a black hole", so to speak. At best, some cloud-based systems at least offer export functions so that at least parts of the data can be used with other programs, for example. However, it is usually only possible to export customer or article data, for example, and not all data. If data sovereignty no longer lies with the company, the following risks can arise:
- No access to the data if there is no Internet access
- Dependence on the provider in terms of access and data security
- Data loss and data manipulation
- Access to the data by the cloud provider, third parties or intelligence services
- Account theft and misuse of accounts
- What happens if the cloud provider has technical problems or, in the worst case, stops operating the software?
- Legal uncertainties in relation to data protection and GDPR
- Enforced rental model: data is only available with regular payment
Legal risks when using cloud storage
The use of cloud storage entails various legal risks, which vary depending on the type of cloud storage service and the type of data stored in the cloud. Some of the most important legal risks are
Data protectionCloud storage providers can store personal data and other confidential information. This usually requires compliance with strict data protection laws and regulations. If a company or individual stores personal data in the cloud, they must ensure that the cloud storage provider complies with data protection regulations.
Data securityCloud storage providers must take appropriate measures to ensure the security and integrity of data in the cloud. This includes the use of encryption technologies to ensure that the data cannot be read or stolen by unauthorized persons.
ComplianceCompanies and organizations that are subject to specific legal requirements must ensure that their data in the cloud complies with the requirements. For example, financial institutions must comply with the requirements of financial regulators, while healthcare providers must follow HIPAA (Health Insurance Portability and Accountability Act) regulations.
ContractsWhen a company or individual uses a cloud storage provider, they usually have to sign a contract. It is important that the contract covers all relevant legal and financial aspects of using the cloud storage. The terms may include data availability, limitations of liability and indemnity provisions.
Geographical restrictionsCloud storage providers may have geographical restrictions on the storage of data. For example, a company that stores personal data of EU citizens may be forced to choose a cloud storage provider that is located in the EU in order to meet the requirements of the GDPR (General Data Protection Regulation).
Overall, there are various legal risks that should be considered when using cloud storage. Companies and organizations should ensure that they understand the legal requirements and take appropriate measures to protect the data in the cloud and ensure compliance.
What does the GDPR say about cloud-based systems?
The commissioning of subcontractors is subject to stricter requirements under Art. 28 GDPR than under previous German law. However, many agreements already contain such provisions. But a detailed examination is also necessary in these cases. In the case of a cloud system whose servers you do not operate yourself, you pass on the responsibility, for which you may be liable in case of doubt, to a subcontractor that you cannot control.
According to Art. 28 GDPR, the contractor must be made more responsible for supporting the client in fulfilling their rights. With cloud services in particular, however, this is only partially consistent with the reality of the cloud service used.
According to Art. 25 GDPR, the obligation to ensure data protection through technology design and data protection by default is formally incumbent on the client. However, as the implementation of the obligation cannot be ensured through the use of the service alone, these obligations are effectively "passed on" to the cloud provider, over which the client then no longer has any influence.
Many providers do not store the data on servers in the EU. However, the conclusion of data processing agreements alone is not sufficient for the transfer of data to a third country. Since the ECJ ruling, companies can no longer rely on the Privacy Shield certification for cloud providers from the USA.
More information on the cloud and GDPR
German Bundestag - GDPR and use of US cloud services (elaboration WD 3 - 3000 - 102/21)
TÜV Süd: Checklist - When is a cloud service GDPR-compliant?
The solution: Your own cloud with Claris FileMaker Server
Our FileMaker platform-based gFM Business ERP software has been designed so that you retain full control over your data, even if you set up the software as a cloud system. We deliver our software as FileMaker databases (.fmp12 format), which can be opened with any FileMaker Pro version 17 or higher on Apple macOS, Microsoft Windows and iOS. Data sharing over the Internet is encrypted with an SSL certificate of your choice to ensure maximum data security. FileMaker Server can create automatic backups several times a day during operation.
Even in all single-user versions, you are always the owner of your data, which is stored locally on your computer. This means that you can always use the software, even if you do not have access to the Internet. All single-user versions are portable and can be used immediately by simply copying them to another computer.
Our software allows you to export your data in any format at any time. The databases are open for access to all data tables from other FileMaker databases. This means that you not only retain control over your data, but can also access all data from gFM-Business from your own FileMaker solutions and thus easily optimize your operating processes. gFM-Business is the All-In-One Merchandise management for Mac, PC and iOS.
