It’s been a long time coming, but the EU General Data Protection Regulation (GDPR) finally comes into effect in May 2018. As such, many firms in the UK are now in full-on panic mode: have they correctly understood their requirements under the new rules, or will they be exposed to fines of up to €20 million - or 4% of global turnover - in little more than six months’ time?
The truth is, there’s still a lot of uncertainty around GDPR and its implications for the way we do business today. This is partly because we live in an age where the ownership and control of IT infrastructure is often outsourced to third parties via cloud and colocation services, so it’s not necessarily obvious who should be shouldering the burden of compliance when it comes to handling the personal information of EU citizens.
On one hand, the new rules represent a departure from the current regime in that cloud and colocation providers (or “data processors”) will now assume some liability for data protection failures. On the other, it rests on the end user (or “data controller”) to take steps to ensure the actions of the data processor are, to their knowledge, compliant. So, much as there’s scope for regulators to clamp down on errant service providers, it’s still a firm’s responsibility to work only with suppliers that can handle personal data in a compliant way.
As a starting point, here are three factors firms should consider in their choice of cloud or colocation provider to ensure compliance.
Get more security and compliance advice in our Data centre services buyer's guide.
Chapter 4 of the GDPR is unambiguous about the importance of a transparent relationship between data controller and data processor. The end user should have total visibility of factors such as where copies of their data are stored, if any cross-border data transfers take place, and whether the processor itself uses any third-party suppliers (which will need to be authorised).
The regulation also requires data processors to “allow for and contribute to audits” conducted by the data controller or their representative, which could potentially include activities such as data centre site visits.
Technical and organisational security controls
As pointed out in a recent paper from PwC, a lot of the conversation around GDPR to date has focused on data governance, storage and retention, and less on the technology itself used to deliver a secure and compliant data environment. Technical security controls have a vital role to play in data protection, as do organisational controls that restrict access to regulated data, and many will fall under the jurisdiction of the data processor rather than the data controller.
The regulation states that these controls should “take into account the state of the art”, balanced against the cost of implementation and the seriousness of the risk. According to this 2016 article from Lexology, some of the measures to consider at a bare minimum include firewalls, password protection, regulator software updates, encryption, physical security controls, and vetting of suppliers and contractors.
Management of storage assets
Finally, the GDPR introduces a number of new requirements around data retention, perhaps the most memorable of which is the new right to erasure for EU citizens. As such, firms will need to ensure their service providers allow them to dictate the terms on which data is retained, and erase data on request where required, across both primary and backup data environments.
For some suppliers, this will mean improving the overall management of storage assets to deliver greater transparency over where data resides and for how long, and to put in place more watertight controls for processes such as drive disposal.
Ultimately, while the new rules put issues like citizen’s rights higher on the agenda, many of the factors to consider in your choice of cloud or colocation provider are issues security-conscious firms should already care about.