We live in a society where more and more services are available online, and to an increasing extent, people expect that there should be a digital solution. The demand for digitalization of the public sector is increasing. However, at the same time, there are requirements for public activities to handle tax funds responsibly and not buy more expensive solutions than necessary. Here, cloud providers are often used to solve the equation of being both efficient and economical - and not least secure. The problem is that after a judgment in the Court of Justice in the European Union (Schrems II), cloud-based solutions supplied by US-based providers appear to be legally prohibited as their use violates the GDPR. GDPR complicates the digitization work by creating uncertainty about what a public organization is allowed to do. The research question to help shed light on this issue is “How can the public sector in Sweden use US cloud providers in the light of Schrems II?” This research uses design science as a research method to find the critical factors to support the use of US cloud service providers and use the factors as requirements. As the problem is practical, action research is used as a research strategy. The primary data collection methods are interviews of subject matter experts for their knowledge and direct insight into the problem, document research of mostly official documents as a knowledge base for the research with their validity and reliability, and a variant of brainstorming for new perspectives. Thematic analysis is used to analyze the results and help define the requirements for using US cloud providers in the public sector, along with explanation and root cause analysis. The GDPR is clear about third country transfers, but the additional laws and demands cause uncertainties on applying it and for which kind of data. The critical factors found are contributing laws, data classification, risk management, internal procurement,routines, employee knowledge level, and the need for documentation. These results led to a conclusion that open, public data is the only kind of data for which it is possible to use US cloud providers. After carefully examining the critical factors, some public organizations have chosen to use US cloud services for other data types, as they decided it was the safer choice. EU and the US have just agreed on the principles of a new trans-Atlantic data transfer treaty. This treaty must solve several problems to guarantee an adequate level of protection, and the probability that this will be met creates continued uncertainty in the affected organizations. One thing is clear - an organization that meets the critical requirements is firmly facing whatever future may come.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:su-219717 |
| Date | January 2022 |
| Creators | Di Gleria, Sonja |
| Publisher | Stockholms universitet, Institutionen för data- och systemvetenskap |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0024 seconds