The European Union’s (“EU”) General Data Protection Regulations (“GDPR”) is set to go into effect on May 25, 2018. These regulations are not limited to just the EU but any organization doing business in Europe including those in the U.S. These data privacy regulations take data protection and security policies to a whole new level.
GDPR and What It Could Mean to Data Center Operators
Where Is This Coming From?
When a business sells good and services to anyone within the EU, this must comply with a new standard for consumer rights and, in particular, how they handle customer data or personal identifiable information (PII). In the U.S., the Code of Federal Regulations requires that the U.S. Government protect PII based on policy which began with Privacy Act of 1974. To add to the confusion, President Donald Trump signed a bill to repeal internet privacy rules in 2017 which the Federal Communications Commission (FCC) had previously passed using the Congressional Review Act (CRA) as a tool for reversal of policies. Many industry and some Government leaders believe that the U.S. will follow EU’s lead in the short term primarily due to previous massive data breaches and because of the global economy requirements.
In the EU, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 was published for the protection of individuals with regard to the processing of personal data and on the free movement of such data. Fast forward to 2016 when the EU published the EU 2016/679 Regulation for repealing Directive 95/26/EC or the GDPR. The new GDPR Regulation scheduled for publication at the end of this month will replace Data Protection Directive 95/46/EC and permit levying heavy fines for non-compliance. The Information Commissioner’s Office (ICO) in the UK is working to expand it in key areas of the GDPR with additional guidance regarding children’s’ privacy, contracts, legal obligations, public task, vital interests, automated individual decision-making and profiling, and personal data breach notification.
Here is an abbreviated list of the 99 articles for GDPR:
- Right to be Informed
- Right of Access
- Right to Rectification
- Right to Erasure (Article 17: Right to erasure, 'right to be forgotten')
- Right to Restrict Processing (Article 25: Data protection by design and by default)
- Right to Data Portability
- Right to Object
- Rights related to automated decision making including profiling
EU and US Data Center OperatorsA 2017 PwC Pulse Survey asked 200 U.S. C-suite respondents regarding the GDPR preparedness and 54 percent indicated that data protection is a priority, 71 percent have already started GDPR preparations, 75 percent said that they are binding corporate rules including 77 percent who plan to self-certify to the EU-US Privacy Shield, 77 percent plan to spend $1 million or more, and many are re-evaluating their European presence and reducing personal data exposure. In another report published by RSA, a survey of consumers indicated that the greatest concerns identified financial/banking with a potential for fraud and theft of personal accounts, security information including passwords, and identity papers such as passports and drivers licenses or general identity information.
Veronis conducted a similar survey in October 2017 with input from 500 cyber security professionals in the US, EU, UK, Germany, and France. GDPR awareness was highest among the Europeans with the US lagging behind. The GDPR priorities listed, in order, included data security, network security, and application security and the greatest challenge being Article 17, the “right to be forgotten (RTBF).” This is followed by Article 25, data protection by design.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce (DoC) and European Commission (EC) to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the U.S. in support of transatlantic commerce.
Since 2016, data centers were required to comply with EU Regulation 2016/679 and provide secure IT networks by preventing unauthorized access to all networks and preventing malicious software from executing “denial of service” attacks. It further places the responsibility of the data center to demonstrate that appropriate levels of access and policies are implemented. The data ownership extends to physical assets where data is stored – including high availability, backing up or archiving data, and for contingencies such as disaster recovery. Additionally, a data protection officer will be required at the data center to conduct risk assessments and establish compliance records. The data center must work with customers to identify the types of data affected if, in the event of a data breach, that has to be reported within a 72-hour window and details concerning data storage and access.
More recently, industry efforts to better manage and self-police data protection practices for consumers includes the creation of the Fourth Geneva Convention – similar to the Protection of Civilian Persons in Time of War that stemmed from the original Geneva Convention. Microsoft had originally adopted this concept and industry is just now jumping on board to facilitate Advanced Threat Protection and Cyber.
If GDPR compliancy sounds time-consuming and complicated, that’s because it is. Many companies across the spectrum are seeking legal advice on how to prepare for its implementation later this month. Whatever the result, it’s certainly the largest change in data privacy regulations to come around in a generation.