Roundtable: What Has the GDPR Meant for Data Centers?

June 20, 2018
The GDPR has finally arrived. What has it meant for data center providers? Five thought leaders on our DCF Executive Roundtable debate privacy, security and whether a GDPR-style law could work in America.

Today is day three of our Data Center Executive Roundtable, a quarterly feature showcasing the insights of thought leaders on the state of the data center industry, and where it is headed. In today’s discussion, our panel of experienced data center executives – Randy Rowland of Cyxtera, Dana Adams of Iron Mountain, Joel Stone of RagingWire, Samir Shah of BASELAYER, and Eric Ballard of Stream Data Centers – discuss the impact of the arrival of the GDPR and the future of data privacy regulation on the data center industry.

The conversation is moderated by Rich Miller, the founder and editor of Data Center Frontier.

JOEL STONE, RagingWIre

Joel Stone, RagingWire: The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018 with over 100 separate articles that have to be addressed; the bulk of which concern the privacy, protection, and handling of data about EU citizens.

In the U.S., most data protection issues are familiar to anyone who has worked under PCI DSS, ISO 27001, or NIST regulations, so these are fairly readily addressed. That said, “72 hour breach reporting” has caused both legal and IT departments to up their game. IT and legal teams are now on the hook to analyze whether exposed or affected data can cause “risk to the rights and freedoms” of EU data subjects. Of course, these rules apply across all industries, and aren’t specific to data center providers.

Methods of consent and data collection must change. Companies can no longer bury language about how they are going to leverage user data in a separate and long “End User License Agreement” or “Terms and Conditions” document. Those methods have to be “Freely given, specific, informed, and unambiguous.” So that means companies may change how they collect and use Personally Identifiable Information.

I’d say it’s highly likely that we’ll see similar privacy regulations in the U.S. After so many breaches, U.S. citizens are worried about data collection and analytics methods conducted not just by businesses, but also the government.

Unlike in the EU, the U.S. doesn’t have a single comprehensive federal law regulating the collection and usage of personal data. However, lawmakers are continually pressing for revisions to existing data handling standards such as PCI DSS, ISO 27001, and laws and regulations such as NIST, the Federal Trade Commission Act (FTC Act), Children’s Online Privacy Protection Act (COPPA), and HIPAA HITRUST.

Simply put, yes, we’ll likely see an increase in similar privacy regulations in the U.S. We can only guess at the impact, but we believe they may be similar to the new EU regulations now in place.

Dana Adams, Vice President and GM of Data Centers, Iron Mountain

Dana Adams, Iron Mountain: We think it is very unlikely that we will see a GDPR-like law in the US since we don’t have omnibus privacy law in the US. Instead, we have sector specific laws and also federal and state laws that will address some of the GDPR concepts and potentially give consumers more control over their personally identifiable information (PII). Data center providers who do not access customer data need to take certain precautions to comply with GDPR, but are not likely to be significantly impacted by the new laws if they already run a robust security and compliance program.

The key requirements for providers include maintaining a formal information security program that among other controls specific to the service offering, ensures the appointment of a Data Protection Officer, and incorporates incident response management, third-party oversight, periodic risk assessments and relevant training to all users. It also requires the establishment and execution of a Data Processing Agreement between providers, customers and related entities that specify the services in scope and each entity’s responsibilities as they pertain to the business relationship.

Eric Ballard, Vice President, Network & Cloud for Stream Data Centers,

Eric Ballard, Stream Data Centers:  GDPR has been another opportunity to validate that the process and procedures that we already had in place were ready to tackle GDPR with minimal tweaks, more on the reporting side. With the advent of more and more information being available on people and their lives (whether it be shared by them or being gathered via their activities by third parties), the regulation landscape will change and become more rigid.

Governments are just starting to figure out what many of us have known for a long time, and with some very public exposures of user data it has created a distrust of providers and how they safeguard data that they control. This will all lead to a more transparent view of what is collected and stored, and hopefully how it is used. For the data center industry, there will be additional regulations to follow, and additional audits and verifications to achieve, but we are already ahead of the game versus many industries.

Samir Shah, VP of Product Management, BaseLayer

Samir Shah, BASELAYER: It is hard to predict political and regulatory trends in the US and other regions. But companies looking to do business with EU citizens will be forced to address GDPR in a short timeframe.

One clear short-term result from this regulation will be the need for a multi-zone data center strategy. In this new paradigm, having a consistent unit of data center deployment will be critical to ensuring deployment speed, uniformity, and cost structure savings across a distributed geographic footprint.

Randy Rowland, President of Data Center Services at Cyxtera

Randy Rowland, Cyxtera:  While too early to determine the exact impact of GDPR on data center providers and their customers, we have certainly seen that providers must take account of the methods and extent of their data collection practices.

This will allow data center service providers and their customers to determine where the collection and transfer of Personal Data (as defined in the GDPR) may require remedial action on their part to comply with GDPR.

NEXT: How the rise of edge computing will impact data center infrastructure.

Keep pace with the fact-moving world of data centers and cloud computing by following us on Twitter and Facebook, connecting with me on LinkedIn, and signing up for our weekly newspaper using the form below:

About the Author

Rich Miller

I write about the places where the Internet lives, telling the story of data centers and the people who build them. I founded Data Center Knowledge, the data center industry's leading news site. Now I'm exploring the future of cloud computing at Data Center Frontier.

Sponsored Recommendations

Tackling Utility Project Challenges with Fiberglass Conduit Elbows

Explore how fiberglass conduit elbows tackle utility project challenges like high costs, complex installations, and cable damage. Discover the benefits of durable, cost-efficient...

How Deep Does Electrical Conduit Need to Be Buried?

In industrial and commercial settings conduit burial depth can impact system performance, maintenance requirements, and overall project costs.

Understanding Fiberglass Conduit: A Comprehensive Guide

RTRC (Reinforced Thermosetting Resin Conduit) is an electrical conduit material commonly used by industrial engineers and contractors.

NECA Manual of Labor Rates Chart

See how Champion Fiberglass compares to PVC, GRC and PVC-coated steel in installation.

Siwakorn1933/Shutterstock.com
Source: Siwakorn1933/Shutterstock.com

Vendor Diversification vs Vendor Consolidation: What’s the Best Way to Ensure Supply Chain Resilience for Your Data Center Construction Projects?

Joey Wagner, Program Management Subject Matter Expert for Blueprint Supply Chain, outlines the benefits of two supply chain vendor strategies and explores how each can impact ...

White Papers

Get the Full Report

Using Simulation to Validate Cooling Design

April 21, 2022
Kao Data’s UK data center is designed to sustainably support high performance computing and intensive artificial intelligence. Future Facilities explores how CFD can validated...