Is digital asset management in the cloud secure?
Choosing the right digital asset management software, companies are faced with the decision of whether to operate the system on their own servers (on-premise) or as software-as-a-service (SaaS). In the latter case, the DAM provider hosts the data itself or outsources this to a cloud service provider. Especially for companies in regulated industries (e.g., government agencies or companies from the financial, energy, or medical sectors), data storage is a particularly relevant issue: To what extent does a DAM cloud solution comply with European data protection rules and can it also fulfill the company's own internal requirements?
Why do some data need to be protected?
What is personal data?
According to Article 4 of the GDPR, personal data is any information that can be directly or indirectly attributed to a person. This includes, for example, names, addresses, telephone numbers, account data, car license plates or location data. But it also includes appearance, national or religious affiliation or club memberships. It can also include photos of individuals if no written permission has been obtained for them. Above all, companies must protect the data of their employees and customers from data misuse.
Particularly in the case of a software-as-a-service DAM solution, companies should pay attention to where the data is stored due to the current legal situation. Above all, personal data is worthy of protection according to European law. According to Article 8 of the Charter of Fundamental Rights of the European Union, every EU citizen has the right to informational self-determination and may decide what happens to this data and whether and to what extent it may be further processed. Data protection is also important to prevent data misuse. An important aspect of this is where data is stored and who has access to it. This is not only relevant for personal data, but also applies to sensitive corporate data and company secrets.
Sensitive data on digital assets
If the digital asset management system is used as a central content hub, a lot of sensitive data may be stored there. Even if companies are aware of this fact, DAM systems often contain more data worth protecting than assumed. Metadata on digital assets includes personal data, for example, if the name of a person depicted in a photo is clearly mentioned in the file name or network path, or if information is recorded in general metadata fields such as the description or in the form of keywords. Geographic metadata, for example, is automatically attached to a photo or video when it is taken via a digital camera or smartphone. You should be aware of such details if you want to keep your data storage secure.
Why may data storage on servers outside the EU be questionable?
If data is stored on European servers, it is subject to the European data protection standard. The major cloud providers Microsoft Azure, AWS or Google are companies headquartered in the USA. Since the introduction of the Patriot Act in 2001, U.S. companies are obliged to grant U.S. authorities access to data if it is stored in the USA. Since 2018, the CLOUD Act has also been in force in the USA, which also allows intelligence services to access foreign servers if the main company headquarters is in America. So it is no longer just the server location that is decisive, but the company headquarters of a cloud provider. Even if the cloud provider's servers are located in the EU, US authorities can theoretically gain access to the data on them without requiring prior judicial approval. Not only data protectionists but also large US companies such as Microsoft are therefore critical about the CLOUD Act.
Agreement between EU and USA for secure data transfer annulled by European Court of Justice
Schrems judgements explained in brief
Data protection activist Max Schrems has filed a lawsuit for the protection of his data at the European Court of Justice. Back in 2011, the then law student had demanded that Facebook hand over all the data stored about him and subsequently filed a lawsuit. He did not want Facebook to store his personal data on US servers because, in his opinion, it would not be sufficiently protected there from access by US authorities. The EU Court of Justice upheld the lawsuits and overturned both the Safe Harbor agreement and the subsequent Privacy Shield. Standard contractual clauses, on the other hand, were not declared generally invalid in the Schrems II decision, but companies would have to check before transferring data to a third country outside the EU whether the level of protection in the third country is comparable to that in Europe, which is not the case in the USA, for example, due to the CLOUD Act.
In order to secure the transfer of personal data of EU citizens to the USA - where the large cloud service providers have their headquarters - the Safe Labor Agreement was concluded. The Safe Labor Agreement was already declared invalid in 2015 by the Schrems I ruling of the European Court of Justice and was then to be replaced by the Privacy Shield. In addition, many companies use standard contractual clauses (SCC) for their data transfers to the USA based on Decision (EU) 2010/87 of the EU Commission in the contracts with service providers in order to comply with the GDPR. However, the validity of the Privacy Shield concluded between the USA and the EU was revoked on July 16, 2020 with the Schrems II ruling.
Which aspects should be taken in account when choosing a digital asset management SaaS solution?
Due to the current legal situation, there are justified data protection concerns regarding data storage with foreign cloud services. Companies should be aware of this when comparing digital asset management software. In regulated industries in particular, it is advisable to pay more attention to the data storage options when selecting the right digital asset management software. Not every provider gives its users the freedom to choose between different data storage solutions. In the case of a SaaS solution, it is also advisable to check whether the DAM system can be operated in a European data center and is therefore subject to the European data protection standard. Alternatively, companies can also run digital asset management software on their own servers. Especially for smaller companies or agencies, NAS systems from Synology, for example, offer a good opportunity to create their own secure infrastructure. It should also be checked that external services that are connected to the DAM system are also subject to the required security regulations.
With our Cavok digital asset management system, you decide where you want to store your data. In addition to a classic SaaS variant (in a secure German data center or with a provider of your choice) and an on-premise version, we also offer Cavok as a Hybrid SaaS digital asset management solution. Your data remains stored on your in-house servers. Only the database and web server are located in the data center.
We are pleased to advise you on how to make your data storage GDPR-compliant and secure.