The new European General Data Protection Regulation goes into effect next May and applies to any company, anywhere in the world, that collects sensitive data about European customers or employees. GDPR also comes with onerous breach notification requirements and high penalties for failing to comply, and data center operators may become prime targets for regulators’ enforcement efforts once the new rules kick in.
“Data center providers are an important piece in the GDPR compliance chain as they have ownership of the physical assets where information is stored,” said Jose Casinha, CISO at OutSystems, an enterprise software company based in Atlanta, Georgia.
“The data center is ‘where the rubber meets the road’ for many aspects of GDPR,” said Ken Krupa, enterprise CTO at MarkLogic Corp.
Often, it’s only the people who manage the infrastructure who really understand where all the copies of the data are, he said, especially when things like high availability, disaster recovery, and backups are taken into account.
It’s Not Only for Data Centers in Europe
However, many providers don’t know about the law, aren’t aware that it applies to them, and don’t have the time and resources to become compliant.
For example, data centers don’t have to be located in Europe to be affected by the law, said Benjamin Wright, attorney and instructor at the SANS Institute.
“One step a data center can take to limit risk is to get assurances from customers that they are not storing or processing EU data and that they indemnify the center from any costs or losses related to GDPR enforcement,” he said.
GDPR Compliance as a Product Feature
Or a data center can take the opposite approach, and make GDPR compliance a selling point, he said.
That means that they will need to appoint a data protection officer, conduct risk assessments, and establish a track record of compliance, he said. Plus, data centers may need to work with customers to be able to identify what data was affected by a data breach within a 72-hour window.
That won’t be easy.
Enterprises will need to have granular control over how and where customer data resides and is accessed, said Adam Conway, VP of product management at Bracket Computing, a cloud security vendor based in Mountain View, California.
That will require a fundamental shift in data center technology, one that will be felt for decades, he said.
The Data Privacy Part
And it’s not just about cybersecurity. GDPR covers a broad range of areas related to data privacy.
For example, it requires that companies delete personal data when requested by customers or employees, said Eric Dieterich, data privacy practice leader at Focal Point Data Risk.
“Data centers might need to provide functionality to allow their customer to perform the right to erasure for data center storage of personal data,” he said.
More Physical Security
Another challenge is that data centers may need to put more robust physical security in place, said Tomáš Honzák, director of security and compliance at GoodData, a San Francisco-based software company.
“This causes a lot of pressure as changing a data center is a strategic and hard decision, but strengthening data center security practices is likely to be a costly and time-consuming exercise too,” he said.
In fact, according to Gartner, most companies that fall under GDPR still won’t be in full compliance by the end of 2018.
But the costs of non-compliance could be staggering. Failing to comply can lead to a fine of 20 million Euros or 4 percent of annual global revenues, whichever is higher. That means a breach that cost a company millions of dollars in fines before the law went into effect could cost billions afterward.