This audio was created using Microsoft Azure Speech Services
The European General Data Protection Regulation (GDPR) law was enforced in May, but is still confusing to some colocation providers as to which requirements they must comply with and how. So, I talked to an expert on the subject and came away with a clear answer: “It depends.”
GDPR is all about ensuring the privacy of consumers’ personal data and giving them more control over how data is used and for how long (as explained in this previous post arguing why it’s necessary). It’s important because it applies to any organization of any size that stores or processes any kind of personal data on EU residents. For all intents and purposes, that means just about any EU company to the extent each holds data on its own employees. But it also applies to companies outside the EU that hold data on EU residents – again, that’s a lot of companies.
GDPR Basics: Data controllers vs. data processors
Mark Bailey is a partner at the UK law firm Charles Russell Speechlys and an expert on various aspects of technology law, including data center contracts. (In fact, he presented on a GDPR-related topic at the International Colocation Club event in Paris, 2016, you can view his presentation in this blog post).
Bailey says the extent to which the GDPR applies to a colocation provider depends on whether the company simply houses servers for customers, or whether it provides more “hands on” services that puts it more directly in touch with customer data.
The GDPR defines two classes: data controllers and data processors. All colocation companies are data controllers, because they provide “the purposes, conditions and means of the processing of personal data,” according to the GDPR. But colocation companies that are controllers in relation to their own employees may nonetheless have limited responsibility under GDPR in relation to their own customer data (if you’re not doing any of these things and can’t do any of these things you may not be subject to the GDPR at all).
You may be considered a data processor if you can access, manipulate or disseminate customer data, or if you provide storage, encryption or analysis of data, even if it’s anonymized. If you can interact with and/or remove hard drives or have access to servers such as to reboot them, you’re also considered a data processor.
“Whilst not to the same extent as controllers, data processors now have far more responsibility (and liability) under GDPR,” Bailey says, “and customers are now vetting providers as to whether they’re compliant.”
GDPR basics: Compliance for colocation providers
“Ensuring compliance with GDPR can be monitored by a few basic measures which will help mitigate companies that are not,” Bailey says.
First is having the appropriate policies and procedures in place – and following them. That typically entails paying attention to standards and certifications, such as the ISO 27001 information security standard. “We’re seeing data center providers increasingly starting to look at certifications and use them as badges of quality,” Bailey says. “Just because you have them doesn’t mean you automatically comply with GDPR. The standards need to be properly complied with, so they seamlessly operate in a chain with customer requirements.”
Physical security is another key requirement. But GDPR doesn’t spell out any specific technologies; rather, it talks in general terms about “adequate” technical and organizational means to protect data. “Two things we look for in data centers are biometric access controls and CCTV (security cameras),” Bailey says. The key is having proper policies in place around those controls, such as how long you keep access records and CCTV recordings. “If your data center is next door to a public street with thousands of people walking by every day, you’ll have a different privacy impact assessment from one in the middle of the desert.”
The business opportunity GDPR brings to colocation providers
The level of security your colocation data center provides can be a differentiator that provides opportunity for customers who are concerned about GDPR.
“Operators need to be curious enough about what customers are doing, so they have the right environment in place,” says Bailey. Industries such as healthcare and finance, for example, are likely to have more stringent requirements, as is any company that processes credit cards. “So be aware of it, and make sure you have the right controls and the right information available to give to customers around specific controls for things like CCTV.”
Be GDPR compliant, your customers are expecting you to be
Remembering that GDPR applies to any company that processes or stores data on EU citizens – even if that company is not physically located within the EU – is necessary. “If you maintain a marketing database or have contact with European citizens, technically the law still does apply,” Bailey says. Responsibilities may be somewhat limited, but it’s best to check on what they are.