Presented first at the digital summit 2019, GAIA-X has been ongoingly developed since then. Different working groups have designed use cases – so-called domains – as well as the core structure. Experts and representatives from different sectors and perspectives, being both cloud customers and providers, contributed to this work to make GAIA-X a success from various perspectives. One key objective is to create an ecosystem of trust for all stakeholders, as fear to lose sovereignty over data is one of the most relevant issues hindering cloud adoption.
SRIW is happy to provide its unique expertise in designing effective and therefore credible onboarding, monitoring and complaint procedures. For almost a decade, SRIW focuses on building trust by designing such procedures as lean as possible to ensure accessibility to small and medium-sized enterprises (SMEs) whilst at the same time not losing essential scope and rigor.
To become a European, and even international success, GAIA-X needs to be easily accessible, reduce complexity in integrating modern technologies and business models and – most importantly – offer and maintain the high level of trust European business and administration is seeking for. We are proud to contribute to such an essential aspect of GAIA-X.
Dr. Claus-Dieter Ulmer, chairman of the executive board of SRIW and Global Data Privacy Officer and Senior Vice President Group Privacy at Deutsche Telekom
Developing different industry-driven standards, particular codes of conduct, SRIW has gathered a lot of experience regarding success factors of trusted standards. One of those is accessibility for SMEs. Accessibility for SMEs to become part of the ecosystem is crucial, if GAIA-X shall serve as enabler and accelerator for such companies. GAIA-X designed its onboarding and compliance processes for providers in a smart way by relating legal and business requirements and good practices to the expected processing activities and their risks. This allows for reasonable thresholds for different categories of trust. We very much welcome that the updates published today prove that GAIA-X is considering these aspects, e.g. by introducing three levels of compliance.
Detailed requirements have not, yet, been defined, but the publications already present the expected architecture. To not create too much complexity in its first iterations, GAIA-X currently aims for three different levels. The lowest shall not require any existing third-party certifications or other compliance schemes in place but rely on GAIA-X performed verifications. The higher the proof of compliance and thus provided level of trust, additional requirements shall be added. Such will certainly relate to the procedure of verification, and therefore align closer to existing certifications and audits, compared to the very first entry level. Such alignment will also be relevant to adopt to different legal frameworks applicable – just to mention the very rigor approach within finance and banking regulation. If and to what extent higher levels will – besides rigor– also differ in material requirements or frequency of verification should be further defined in future. It is appreciated that, already, GAIA-X seems to think modular. For example, requirements specifically related to the processing of personal identifiable information within the scope of GDPR shall only apply if and to the extent providers opt-in. This will also keep (administrative) thresholds reasonable for providers as GAIA-X will not require compliance with legal frameworks that would not apply outside of the GAIA-X environment.
A core element to keep pace is integrating and building upon existing standards and requirements to the extent possible. This ensures wide applicability and economically efficient means for providers to underpin and prove compliance with GAIA-X requirements. Surely, reading recent publications carefully, GAIA-X does not understand itself just as recycler of existing standards and schemes. Potential gaps will be analysed and addressed by GAIA-X specific requirements as well as it is likely that requirements of existing standards and schemes will be slightly adjusted to meet the high promises of GAIA-X.
Building upon existing standards is a lean and efficient method to balance European and international outreach as well as trust. GAIA-X will do a tremendous job in keeping its approach of interoperability in this regard. Though GAIA-X requirements are neither finalised nor agreed upon yet, the proposed methodology of relating GAIA-X requirements with existing standards and schemes is promising.
Frank Ingenrieth, LL.M., deputy managing director at SRIW and GAIA-X working group member.
Started to meet highest expectations, GAIA-X surely will not refer to each existing standard. Rightly, GAIA-X will set-up a procedure identifying appropriate standards and schemes that reflect adequate trust and reliability. For example, data protection related schemes will only integrate if they meet the requirements as defined by GDPR in Articles 40 et seq. As SRIW is – since its foundation – dedicated to codes of conduct, we will keep track of further developments and potential integrations of existing initiatives that are, as communicated by the European Commission, reviewed by the European Data Protection Board, already. Hopefully, certifications will follow soon to complement the tools provided by GDPR.
Related to data protection, GAIA-X can certainly rely on existing mechanisms, such as adherence to GDPR approved codes of conduct, which ensure a reliable and objective framework for participants and eventually ease the onboarding.
Susanne Dehmel, deputy chairwoman of the executive board of SRIW and Managing Director Trust and Security at Bitkom.
Concluding, GAIA-X made significant progress. SRIW will be happy to further provide its support and expertise in such a relevant approach, focussing to safeguard trust and outreach by accessibility. As the milestones achieved so far, let us emphasise some aspects on the essential decisions which will be key for the further development of GAIA-X:
- further integrate international and European experts; especially extending access to all interested European Member States and experts seems useful to make GAIA a European success
- define detailed requirements; both to ensure legal compliance but also to ensure functionalities and adequate service quality as necessary for each GAIA-X domain
- keep usability and accessibility high priority, i.e. requirements should not be prohibitive whilst at the same time they need to adequate and reliable in order to lighten the burden of individual assessments by users; usability will also be key for user acceptance.
- keep interoperability; starting this ecosystem from scratch will not be a success, as cloud computing is internationally already well defined and provides widely adopted models. GAIA-X should focus on interoperability and prevent conflicts of standards and laws. It should also enable and accelerate new technological approaches, like edge computing, within the GAIA-X framework. The focus should be on effective technical, organisational or transparency measures; specifically, to the extent GAIA-X may reach its aims as equally effective by such measures. Consequently, participation of companies that store data on non-European servers should not be excluded per se. It is important, though, that European values, such as data sovereignty, are guaranteed at all times.
About Selbstregulierung Informationswirtschaft e.V.
Self-Regulation Information Economy (German: Selbstregulierung Informationswirtschaft e.V. – short: SRIW) is a Berlin-based non-profit organisation that fosters and promotes data and consumer protection through self- and co-regulation. SRIW is also a monitoring body for data protection codes of conduct in Germany since 2011 and, yet, has successfully implemented and enforced two codes of conduct in the field of data protection. It further serves as a platform for the development, implementation, enforcement, and evaluation of various codes of conduct. SRIW has also actively actively contributed to the work of the Community of Practice for better self- and co-regulation during its mandate. Learn more at: https://sriw.de