Data centres and GDPR

“Many data centres in Europe have taken advantage of the stability and clarity of GDPR to make compliance with it a selling point,” writes a researcher. “This may involve helping clients track personal data, ensure that it is easy to change or erase, and also, in the case of a breach, to ensure 72-hour notification”

The introduction of the  EU  General Data Protection  Regulation 2016/679/ EU (GDPR) in 2018 implemented sweeping measures to enable people to control their personal data. This is a particular factor for the European data centre market, one which offers advantages as well as raising some important issues.

Assuring data privacy is a key aspect of GDPR, and that assurance includes government and public sector organisations. This gives EU data centres an advantage – one that is not available to data centres in the US, for example.

There is no exemption for the public sector in GDPR, writes Duncan Brown, research director, European security practice at IDC.

“Article 4 specifically includes public authorities in the definitions of data controllers and processors. Article 37 specifically requires all public authorities or bodies (except courts) to designate a data protection officer. There are other in- stances where specific terms are applied to public authorities to account for local laws and the effective operation of government. But to all in- tents and purposes, the public sector is ‘In’.”

In the US, this is not at all the case. Administrative government agencies like the IRS, Census Bureau, Postal Service and social welfare departments gather various personal details about people. Users’ social media activities and their tech-based social networks are at least at times examined in investigations, according to “transparency reports” released by the companies.

“In striking down the Privacy Shield in   Schrems II, July 2020, the EU Court of Justice cited concerns that European citizens’ data would be subject to US government surveillance. The concerns stemmed from former contractor Edward Snowden’s revelations on spying by the US National Security Agency,” one commentator notes.

Outside the EU, data protection laws vary wildly, so any client of a data centre would be wise to learn to what extent his company’s data is safe from unwanted scrutiny.

Many data centres in Eu- rope have taken advantage of the stability and clarity of GDPR to make compliance with it a selling point, writes a researcher. “This may involve helping clients track personal data, ensure that it is easy to change or erase, and also, in the case of a breach, to ensure 72-hour notification.”

There is a strong chance that such data centres will need to appoint a data protection officer, conduct risk assessments, and establish a track record of compliance as well.

Large companies, with a need for local data in many locations, need to adopt a multizone strategy.

Large companies may see too much complexity in this kind of relationship with a data centre. “One clear short-term result from this regulation will be the need for a multizone data centre strategy. In this new paradigm, having a consistent unit of data centre deployment will be critical to ensuring deployment speed, uniformity, and cost structure savings across a distributed geographic footprint,” comments Samir Shah, VP of Product Management, BaseLayer.

When companies do adopt this strategy in working with their data centres in Europe, they will have to determine the exact roles of all the agents involved.

GDPR makes a famous distinction between data controllers and data pro- cessors: The data controller determines the purposes for which and the means by which personal data is pro- cessed. The data processor processes personal data only on behalf of the controller and according to the control- let’s instructions.

This definition may directly affect data centre operations.

“Clients at a co-location data centre can be controllers or processors or both. Some clients are data controllers who have placed their personal data about clients, employees etc., in our centres. Others are data pro- cessors, for instance, service providers or cloud companies, who process the data on behalf of multiple customers inside the data centre, as one research note points out.

The relationship between the data controller and the processor is governed by a Data Processing Agreement (DPA).  The  data  controller is responsible for compliance and must make sure they enter into data processing agreements when necessary.” The best way for a data centre to determine exactly what roles it will play for clients – controller, processor or neither – is usually determined by an audit. “Customers often want to audit data centres for their own risk assessment, says Vicky Withey, compliance manager at Node4, a UK data centre owner.

“In recent years, we have had an increase in customer audits: People want to be shown around and complete a questionnaire. They ask: How do you protect data and access to racks? Sometimes customers want a specific reference in the contract to confirm they have an audit requirement.”

For data centres, GDPR has undoubtedly increased legal concerns, requiring greater investment.

If you are a data centre and your business model is to provide services based around the infrastructure, there has been more investment on the legal side. Previously contracts might have been straightforward, but they are now much more complex between data pro- cessor and data owner.

For example, people ask: “What would happen if we exit your infrastructure; how will data be sanitised?”