Innovation requires data protection. How to make a secure cloud selection.

The cloud has become standard for many companies – whether for specialized applications, collaboration tools, or entire business processes. However, with every outsourcing of data to the cloud, the demands on security, data protection, and traceability also increase.

It is not the technology alone that is decisive, but how consciously it is selected, evaluated, and controlled. Those who proceed in a structured manner here gain several advantages at once: less liability risk, more transparency, and a solid basis for digital innovation.

What does “cloud” mean specifically?

Cloud refers to IT resources that are no longer operated in your own server room, but are rented from a provider – usually via the Internet. Typical models are:

• On-Premise / Private Cloud in your own data center – maximum control, but high internal effort.
• Private Cloud at the provider (Off-Premise) – infrastructure at the service provider, exclusively for one company.
• Public Cloud / SaaS – standardized services from the browser, infrastructure completely at the provider.

As soon as personal data is processed, the requirements from DSG / GDPR automatically apply – regardless of how modern or “market-standard” the solution is.

Responsibility remains with the management

Even if operation and administration are outsourced to an IT service provider: The legal responsibility remains with the company or the management.

• The cloud provider is responsible for its platform, not the overall risks of your business model.
• According to DSG / GDPR, the responsible party in the company remains obligated.• When one speaks of security in the cloud, one generally assumes a so-called “Shared Responsibility” model. This means that the cloud provider protects the infrastructure of the cloud itself, but the customer is responsible for the security of their data – i.e., a shared responsibility. How much or what is taken over by the cloud provider depends on the selected service model (SaaS, PaaS, IaaS, etc.).

Especially with providers based in the US, e.g. Microsoft, Amazon etc., additional data protection risks arise (e.g. possible access by foreign

authorities). These must be consciously evaluated – they cannot simply be “negotiated away.”

Typical weaknesses in practice

In many organizations, similar patterns emerge, such as:

• unclear or insufficient encryption,
• missing risk assessment of the data (which data is critical, which is less so?),
• no or delayed data protection impact assessment (DPIA) for high-risk processing,
• incomplete or missing data processing agreements (DPA) with cloud providers or IT service providers,
• inconsistent permissions management, where accesses are granted “on the side”.

The result: Uncertainty in audits, discussions with customers, and increased personal liability risks for management and responsible parties.

Structured approach for secure cloud decisions

A professional cloud decision combines legal, organizational, technical, and economic aspects. An approach in five steps has proven effective:

1. Clarity about data and risks – risk analysis

Identification of personal, sensitive data (e.g. health, customer, and employee data) and analysis of possible effects in case of loss, manipulation, or unavailability.

2. Risk assessment

Assessment of threats such as unauthorized access, data leak, failure, or espionage – in your own organization, during data transmission, and at the provider.

3. Define protection goals and requirements

Confidentiality, integrity, availability, data minimization, and traceability are translated into concrete technical, organizational, and contractual requirements.

4. Check and select cloud providers

Comparison of the services with the defined requirements: Security level, encryption, logging, SLAs, locations, possibly US reference, and supplementary measures such as encryption or pseudonymization.

5. Integration with compliance and everyday life

Conducting a DPIA (if required), concluding resilient AV contracts, clear cloud guidelines and processes, as well as practical training for employees.

Why a cloud risk check is worthwhile

A structured cloud risk check provides the management with:

• an objective basis for decision-making for the selection or continuation of a cloud solution,
• transparency about risks, responsibilities, and obligations,• and a clear roadmap, which measures are to be implemented in which order.

This way, the cloud does not become a weak point, but a stable basis for digitization and innovation – with controllable risks and clear evidence towards customers, partners, audits, and supervisory authorities.