Roundtable: What Has the GDPR Meant for Data Centers?

Today is day three of our Data Center Executive Roundtable, a quarterly feature showcasing the insights of thought leaders on the state of the data center industry, and where it is headed. In today’s discussion, our panel of experienced data center executives – Randy Rowland of Cyxtera, Dana Adams of Iron Mountain, Joel Stone of RagingWire, Samir Shah of BASELAYER, and Eric Ballard of Stream Data Centers – discuss the impact of the arrival of the GDPR and the future of data privacy regulation on the data center industry.

The conversation is moderated by Rich Miller, the founder and editor of Data Center Frontier.

Joel Stone, RagingWire: The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018 with over 100 separate articles that have to be addressed; the bulk of which concern the privacy, protection, and handling of data about EU citizens.

In the U.S., most data protection issues are familiar to anyone who has worked under PCI DSS, ISO 27001, or NIST regulations, so these are fairly readily addressed. That said, “72 hour breach reporting” has caused both legal and IT departments to up their game. IT and legal teams are now on the hook to analyze whether exposed or affected data can cause “risk to the rights and freedoms” of EU data subjects. Of course, these rules apply across all industries, and aren’t specific to data center providers.

Methods of consent and data collection must change. Companies can no longer bury language about how they are going to leverage user data in a separate and long “End User License Agreement” or “Terms and Conditions” document. Those methods have to be “Freely given, specific, informed, and unambiguous.” So that means companies may change how they collect and use Personally Identifiable Information.

I’d say it’s highly likely that we’ll see similar privacy regulations in the U.S. After so many breaches, U.S. citizens are worried about data collection and analytics methods conducted not just by businesses, but also the government.

Unlike in the EU, the U.S. doesn’t have a single comprehensive federal law regulating the collection and usage of personal data. However, lawmakers are continually pressing for revisions to existing data handling standards such as PCI DSS, ISO 27001, and laws and regulations such as NIST, the Federal Trade Commission Act (FTC Act), Children’s Online Privacy Protection Act (COPPA), and HIPAA HITRUST.

Simply put, yes, we’ll likely see an increase in similar privacy regulations in the U.S. We can only guess at the impact, but we believe they may be similar to the new EU regulations now in place.

Dana Adams, Iron Mountain: We think it is very unlikely that we will see a GDPR-like law in the US since we don’t have omnibus privacy law in the US. Instead, we have sector specific laws and also federal and state laws that will address some of the GDPR concepts and potentially give consumers more control over their personally identifiable information (PII). Data center providers who do not access customer data need to take certain precautions to comply with GDPR, but are not likely to be significantly impacted by the new laws if they already run a robust security and compliance program.

The key requirements for providers include maintaining a formal information security program that among other controls specific to the service offering, ensures the appointment of a Data Protection Officer, and incorporates incident response management, third-party oversight, periodic risk assessments and relevant training to all users. It also requires the establishment and execution of a Data Processing Agreement between providers, customers and related entities that specify the services in scope and each entity’s responsibilities as they pertain to the business relationship.

Eric Ballard, Stream Data Centers:  GDPR has been another opportunity to validate that the process and procedures that we already had in place were ready to tackle GDPR with minimal tweaks, more on the reporting side. With the advent of more and more information being available on people and their lives (whether it be shared by them or being gathered via their activities by third parties), the regulation landscape will change and become more rigid.

Governments are just starting to figure out what many of us have known for a long time, and with some very public exposures of user data it has created a distrust of providers and how they safeguard data that they control. This will all lead to a more transparent view of what is collected and stored, and hopefully how it is used. For the data center industry, there will be additional regulations to follow, and additional audits and verifications to achieve, but we are already ahead of the game versus many industries.

Samir Shah, BASELAYER: It is hard to predict political and regulatory trends in the US and other regions. But companies looking to do business with EU citizens will be forced to address GDPR in a short timeframe.

One clear short-term result from this regulation will be the need for a multi-zone data center strategy. In this new paradigm, having a consistent unit of data center deployment will be critical to ensuring deployment speed, uniformity, and cost structure savings across a distributed geographic footprint.

Randy Rowland, Cyxtera:  While too early to determine the exact impact of GDPR on data center providers and their customers, we have certainly seen that providers must take account of the methods and extent of their data collection practices.

This will allow data center service providers and their customers to determine where the collection and transfer of Personal Data (as defined in the GDPR) may require remedial action on their part to comply with GDPR.

NEXT: How the rise of edge computing will impact data center infrastructure.

Keep pace with the fact-moving world of data centers and cloud computing by following us on Twitter and Facebook, connecting with me on LinkedIn, and signing up for our weekly newspaper using the form below: