Verne Global

Industry | Tech Trends |

16 January 2018

GDPR and how it will affect you

Written by Peter Judge (Guest)

Peter Judge is the Global Editor at Datacenter Dynamics. His main interests are networking, security, mobility and cloud. You can follow Peter at: @judgecorp

Privacy is important. It’s costly to provide, and it limits what corporations and governments can do with our data. But, as Tom Squirrell pointed out in his recent blog, European legislation is set to ensure that the cost of privacy has to be paid - and it will affect you.

The European Union is keen to ensure the privacy of its citizens and has produced the General Data Protection Regulation (GDPR). This is going to affect service providers and people doing any kind of business, because it will change how you have to handle your customer records.

It’s coming into force in May 2018, and there’s plenty of evidence that most companies are woefully unprepared for it. Among other things, they will have to get a higher level of consent to use and share personal details, they must be able to provide people with an account of how they have used those details, and provide a “right to be forgotten” allowing users to request their details be erased.

For the data center industry, there’s a glimmer of hope. The GDPR distinguishes between being a “controller”, a company that uses the data, and a “processor”, a company which simply holds and handles that data. Most data centers fall into the latter category, and the demands are lighter - though a processor must meet high levels of security.

For those looking after actual customer data there is no way out of GDPR compliance. Being based outside Europe is no excuse. One of the reasons for the creation of GDPR was the fact that EU citizens’ data was held in the US, where it was subject to government scrutiny under schemes such as Prism, revealed by Edward Snowden.

The Safe Harbor provision that allowed this data sharing was demolished in a privacy case brought by Austrian lawyer Max Schrems. It’s been replaced by a little-tested provision called the Privacy Shield. The EU has issued an interim “adequacy decision”, which says the Privacy Shield’s provisions are good enough for current regulations, but that is being challenged by campaigners, and will also need to be re-visited to determine whether the Shield matches the more rigorous demands of GDPR.

It is hoped that the Privacy Shield will be robust, so that US providers who meet its requirements will be allowed to hold European citizens’ data.

There are also doubts for British businesses. The country will have to implement GDPR, even though it is in the process of attempting to negotiate an exit from the EU. However, despite this, when (if) the country actually leaves the EU, it will become a “third country” outside the EU, and will also have to have its regulations evaluated, hoping for an adequacy decision like that held by the US Privacy Shield.

All told, GDPR is something you need to get to grips with. It is straightforward in principle, but the implementation will be tricky.

There’s one big reason you can’t ignore it though: all business is becoming more international, and customer data has to move. Even if Britain leaves it, the EU remains a huge trading block, and you won’t be able to do business there unless you understand and comply with GDPR.


Sign up for the Verne Global newsletter

Opinion, thought leadership and news delivered directly to your inbox once a month.