Data Protection as a Service

The EU General Data Protection Regulation (GDPR) requires website and blog owners to comply with legal requirements on data protection. In order to be able to achieve this at all, operators must have both comprehensive technical and legal knowledge: they must be able to understand the technology they operate with in order to identify risks to fundamental rights, andthey must be able to select, configure and operate the technology competently in order to prevent violations of data subjects’ fundamental rights.

In the past, knowledge uncertainties have led to small websites and blogs being shut down on a massive scale. This became known as “website dying”. The consequences are serious, not only for the website owners themselves. If websites are not set up in accordance with data protection regulations the fundamental rights of data subjects will be at risk, mainly due to a lack of competence on the part of data controller. 

The most obvious and yet promising approach to solving this problem is to involve the data processor, the hosting providers. They have the technical resources at hand, the infrastructure and the legal expertise necessary in order to comply with data protection laws. 

In this research project we are developing, together with several research partners, solutions that help website owners to overcome their knowledge uncertainties. By specifying GDPR provisions regarding the operation of websites, we create certification criteria that determine how hosting providers can help website owners to operate their website or blog in accordance with the GDPR. These hosting providers can, on the other hand, signal this help to their (potential) customers as a product feature and thus gain a competitive advantage over their competitors. 

Taking off from here, this basic research project will be extended to other areas relevant to data protection law beyond website hosting. In parallel, the economic implications of these mechanisms will be researched, with the project ultimately contributing to the standardisation in the data protection field und push the state of the art in technical and organisational protection measures.