The European Union, via the EU Commission, has enacted two key regulations relating to data processing; the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD). While both came into force in April 2016, they will replace the Data Protection Directive on May 25, 2018. Here I will briefly summarize a few of the 99 articles of the GDPR with respect to DC owners and operators of data centers.
Broadly, this means is that any company that solicits, targets, collects, stores or processes any data on a citizen of the EU will need to have governance policies in place for GDPR compliance. Despite the Brexit filing, the UK has publicly stated they will adopt in full the GDPR.
As it covers the data of any individual based in the EU, regardless of citizenship or where the data is being held, DC operators as processors may expect additional demands from their customers (the controllers) that they are taking measures that will minimize their exposure to infringing the GDPR.
What does this mean for the owners and operators of a data center in Asia? “Plenty” is the short answer.
The GDPR applies to the processing of personal data by controller or a processor in the EU Union, regardless of whether the processing takes place in the Union or not. There are two key definitions of relevance: the controller (the entity that has originated the data and manages the data content), and the processor (the entity that stores, transmits or applies a computational process to the data on behalf of the controller). Data center owners would fall primarily under the latter unless they are on prem or captive DCs, in which case they may be both. For the purposes of this article I will only address the processor – this in particular would cover cloud service providers (CSPs).
Article 28 outlines the responsibilities of a processor, with ten paragraphs that also refer to other articles, but the opening paragraph defines the relationship: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject.”
In particular, the GDPR mandates that “In order to maintain security the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption … Consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.” (Paragraph 83).
This means that a full data loss strategy will be demanded by customers who hold data subject to the GDPR, of DC owners and operators. I have already seen questionnaires from Europe that are asking companies in Asia if they are GDPR-compliant.
Article 15 ensures that an EU citizen or resident may request the return of all data held, or under article 20, direct the entity holding the data to move it to another entity. This is rather like cellphone number portability, presumably in theory increasing competition. The GDPR also has provision for the right of erasure (‘the right to be forgotten’) under Article 17.
This will mean that a DC owner has to ensure that data can be blocked from access if there is an order, plus to have a process in place to move data as requested by the controller down to the individual record level and erasing all back-up copies.
The EU law will also mandate that many large organizations appoint a data protection officer (DPO) to have an overall view of where data is located and set controlled parameters on who has access to it. The DPO will have to work DC operators and processors to ensure compliance to monitor and control data movement across the company and its use.
The board of directors of a DC has a fiduciary duty to ensure that shareholders are protected, no matter where data is stored or processed. A data controller cannot outsource their responsibility under GDPR, but they can certainly seek legal redress if the DC/processor fails to take adequate steps to protect their data.
DC owners addressing the GDPR need to take steps now to re-architect their data provisioning to have any chance of compliance, as there are now six months left to get the controls in place to avoid the severe penalties as outlined here
In summary, DC owners and operators need to revise all their policies and processes now to ensure they are GDPR-compliant or risk losing business from the EU, or worse. The good news is that the technology industry is creating innovations to address compliance with the GDPR under the general description of ‘RegTech’. Where there is adversity there is opportunity.
Written by Michael Mudd, founder and Managing Partner of Asia Policy Partners. He is also a member of the FinTech, Policy and Cloud computing SIG’s of the Hong Kong Computer Society, the chief representative of the Open Computing Alliance in the APAC and MEA region, and an associate member of the Middle East & North Africa Cloud Alliance.
Michael will be speaking on this topic this Friday at DCD>Converged Hong Kong. Click here for details on the conference agenda, registration information and more! Disruptive.Asia is an official media partner of DCD>Converged Hong Kong.