IT compliance & cloud*)

The importance of rules, especially in the digital environment, is becoming increasingly important. GDPR, IT security laws, §203 StGB, KRITIS baskets, just to name a few (German laws). GDPR regulation is certainly the most widely known. GDPR is unfortunately often misunderstood or misused. Data protection does not hinder innovation as long as "Stasi 2.0" is not seen as innovation. Even if Dr. Google says something else: "Compliance hinders innovation" - Google hits - 219,000 (07.10.19) - 298,000 (05.09.20) - 701,000 (19.11.21) (German language search). - It doesn't get any more right by repetition. Compliance can also definitely drive innovation.

From my perspective, it just makes it clear that there is a kind of refusal to deal with IT compliance. You hear far less of this from the financial sector. Here, it is part of the DNA to explore "design freedom", e.g., when preparing the balance sheet. Even if sometimes boundaries are crossed, as in the Enron scandal or Cum-Ex transactions, which are then punished accordingly.

Legal principles and rules must be set at the beginning of IT projects as the first business requirement and not only considered shortly before production starts, usually under pressure.

Laws, regulations and supervisory circulars serve to regulate our society and how we want to live together. This also applies to the digital space and thus also to IT providers and IT users.

The following is a (non-exhaustive) list of the key points that must be taken into account in order to use the cloud in a compliant and stress-free manner.

Disclaimer: The following statements represent an expression of opinion, not a legal advisory service. Please consult your legal advisor or law firm for more information. My recommendation for German IT law: Michaela Witzel

Main categories of IT compliance

IT compliance can basically be divided into two main categories:

• Compliance requirements for infrastructures and runtime environments. Often also called Landing Zone, the technical basis for applications / services.
• Compliance requirements for applications / services, which can usually be very different depending on the application area (e.g., claims management of an accident insurance company compared to a social media application).

Subcategories of IT Compliance

Regardless of the main category, the following subcategories should always be considered:

• General IT compliance requirements, which must generally be observed by every company that uses IT in accordance with the local jurisdiction.
• Data protection requirements that must be observed by every company as a matter of principle in accordance with the local jurisdiction.
• Industry-specific IT compliance requirements in accordance with the local supervisory bodies.

For the "normal" IT person, it is usually already "enough" at this point. The escape movements can be observed again and again when I discuss the topic. There is no way around it: I am sorry, but IT professionals must follow another compliance drill down.

Dealing with IT compliance requirements

In order to understand the legal framework as an IT professional and to develop and implement a technical solution with regard to IT compliance requirements, it makes sense to follow the following procedure. This has proven to be very effective in practice:

• Strict separation according to technical IT compliance requirements and compliance requirements that must be implemented in the application/service.
• The use of legal opening clauses should be avoided. e.g.: categorizing the protection needs of documents increases the complexity of the technical design and thus also the effort and also the complexity during implementation and operation.
• As a rule, complexity leads to higher error rates. For this reason, only the most stringent IT compliance requirements are selected as a matter of principle. This leads to a reduction in technical complexity, error rates and sometimes also to higher initial expenditure.

Legal opening clauses are known to arise from compromises and were certainly useful as long as IT was operated on-prem. In the cloud*), legal opening clauses are more of an obstacle than a help. 

In-application compliance requirements

With regard to IT compliance requirements within applications, the spectrum is very wide. It depends on what kind of application you want to build and in which industry it is to be used.

Two examples can illustrate this: (Note: The enumerations listed below are not exhaustive).

• For the portfolio management of life insurance companies in Europe, BSIG (German Federal Office for Information Security Act) compliance requirements from the Solvency II regime (Directive 2009/138/EC) and the national laws, regulations and supervisory circulars derived from it must be taken into account, among other things. In addition, reporting on FATCA (Foreign Account Tax Compliance Act) and, of course, the GDPR must be taken into account….
• When operating a social media platform / app, on the other hand, in addition to the GDPR and the BSIG (Federal Office for Information Security Act), further legal requirements must be observed. These include in Germany, the TMG (Telemedia Act), TKG (Telecommunications Act), NetzDG (Act to Improve Law Enforcement in Social Networks), to name just a few.

So, there are still plenty of construction sites left even if the technical IT compliance requirements (related to the infrastructure) have been solved. I will write about the technical IT compliance requirements in the next blog post, which will be published on 06.12.21. 

Bottom Line

The importance of IT compliance is already high today, and this will continue to increase in the future. IT professionals will therefore have to deal with IT compliance requirements to a greater extent than in the past.

IT compliance is no longer a staff function. IT compliance must become an integral part of every project as well as in IT operations. The strictest requirements must always be selected. Opening clauses should be technically avoided.

It makes sense to separate IT compliance requirements between technical and application-specific requirements.

The interpretation of the GDPR, for example, should not be left to lawyers alone. Therefore, IT people must read and work through the laws and regulations so that lawyers and IT staff can draw a common picture.

******

*) By cloud I always mean hyperscalers like AWS, Azure, GCP. Cloud providers that fully comply with the NIST SP 800-145 standard.