Data Privacy Radar: How the German C5 affects us all
The Data Privacy Radar is an ongoing series by our data privacy team to explore compliance and information governance issues for organizations around the world. Check out previous posts on GDPR and our global approach, and a US federal perspective.
In February 2016, the Bundesamt fur Sicherheit Institute (BSI), or the German Federal Office for Information Security, established the Cloud Computing Compliance Controls Catalog (C5) certification after they noted the rise in cloud computing in the country. With the C5, the BSI redefined the bar that cloud providers should meet when dealing with German data. The establishment of the C5 elevated the demands on cloud providers by combining the existing security standards (including international certifications like the ISO 27001), and requiring increased transparency in data processing.
Under a singular umbrella, the BSI determined the controls, audits, reports and accountability factors needed to be a first-in-class cloud vendor operating in Germany.
Following the leader
But then the C5 gained even more power.
On May 5, 2016, the BSI determined that the C5 would be the mandatory minimum baseline for German government agencies to adopt public cloud solutions. For government entities and companies that wanted to work with the government, the C5 was no longer a nice-to-have, but a must-have.
We know from experience with regulatory bodies around the world that the private sector often follows the public sector. We’re guessing that it will be no time before there’s a blanket requirement – regardless if you’re a government-funded non-profit or a multinational corporation– to work with vendors who have achieved the C5 if you are operating in Germany.
Killing two (very difficult to catch) birds with one stone
It is generally understood that Germany has some of the strictest data protection laws in all of Europe. Oftentimes, if you meet the regulations in Germany, you can assume that you’ll meet almost any regulation in Europe, and potentially the world.
By now, if you work with customers, vendors, or partners in Europe, you’ve heard of the General Data Protection Regulation, which comes into effect May 25, 2018. The GDPR is considered the new high bar for data privacy and protection that all companies processing EU data must meet.
Most of the requirements of C5 also happen to be included in the security requirements of the GDPR – so by getting the C5, you can practically kill two (very complex and difficult to catch) birds with one stone.
Looking in a crystal ball
Box was the second company ever to obtain the Cloud Computing Compliance Controls Catalog certification from the Bundesamt fur Sicherheit Institute. How were we in the place to be such an early adopter of C5 and why was it so noteworthy?
As a global data privacy team, we pride ourselves on maintaining proactive relationships with Data Protection Authorities (DPAs) around the world, not only educating DPAs on the Box security and compliance posture, but also keeping a very close pulse on the latest and greatest privacy considerations of DPAs.
By being one of the first two companies to ever achieve the BSI C5 certification, and recently having gotten the TCDP 1.0 (Trusted Cloud-Datenschutzprofil fuer Cloud Anbieter), Box positions itself at the highest level of data protection security and privacy in Germany, offering its customer a trusted solution well-positioned for GDPR compliance.
At Box, we make compliance easier for our customers so they can focus on their mission. To learn more about how Box helps our customers address data residency concerns, maintain retention and legal hold requirements, or have encryption options, check out the Box security and compliance webpage.