On 25 May, it will be a year since the EU General Data Protection Regulation (GDPR) came into force. So, what has changed for data center owners?
One of the biggest adjustments under GDPR was the onus on the “processor” of the data to help the “controller” protect private information. The resulting impact on data centers has depended on the type of service they offer and how close they are to the information itself and the systems in which it resides.
But in general, GDPR has led to customers working more closely with data centers, asking more about exactly where their information is stored. Indeed, the past year has seen an influx of customers requesting site visits in order to complete detailed risk assessments, according to data center owners.
Following the implementation of the regulation, customers often want to audit data centers for their own risk assessment, says Vicky Withey, compliance manager at Node4, a UK data center owner.
“Over the last year, we have had an increase in customer audits: People want to be shown around and complete a questionnaire. They ask: How do you protect data and access to racks? Sometimes customers want a specific reference in the contract to confirm they have an audit requirement.”
While pure colocation providers aren’t data processors, they need to ensure robust physical security. This also sees them process small amounts of data through CCTV footage and other onsite measures.
Timothy Arnold is head of colocation at Six Degrees Group, which operates three data centers in the UK as well as providing some additional managed services.
On the colocation side, the personal data Six Degrees deals with is minimal, says Arnold. But as part of the regulation, it needed to assess the personal information it retains for CCTV and access control.
“We wrote to our customers to say there would be changes to data retention time,” says Arnold. “We used to keep access logs for a year and we now don’t need to hold them for that long: Following GDPR implementation, we keep the data for just 90 days.”
Six Degrees also had to add new terms and conditions to client contracts and provide training for its staff on how to handle data.
Policies and procedures
“Data processing” under GDPR covers a wide range: For example, storage and deletion count as processing. The regulation has therefore had a heavier impact on those that provide such services.
Over the time leading up to GDPR and during the period since, there has been a “massive uptake” in policy revisions and updates, says Fredrik Forslund, VP of enterprise and cloud erasure solutions at Blancco. His company specializes in data center services for the end of the lifecycle, including secure erasure and decommissioning to permanently remove data from drives, LUNs, servers and virtual machines.
“If you are a data center and your business model is to provide services based around the infrastructure, there has been more investment on the legal side,” Forslund says. “Previously contracts might have been straightforward, but they are now much more complex between data processor and data owner.”
For example, he says, people ask: “What would happen if we exit your infrastructure; how will data be sanitized?”
Graham Marcroft is operations and compliance director at Hyve Managed Hosting, which provides infrastructure in data centers. This makes the firm a data processor, he says.
According to Marcroft, the regulation has added more responsibility and an onus on the data processor to work closely with the controller. Meanwhile, the controller needs to make sure their data processor is compliant with GDPR.
He says GDPR gave Hyve an opportunity to look at policies and procedures already in place and assess where these needed “tweaking or changing.”
“It made us look at what we had and adjust it accordingly to be compliant,” Marcroft says.
He says Hyve started looking at GDPR 12 months before it came into place. “We spoke to lawyers to ensure contracts were GDPR compliant. We had to look at rewriting elements of contracts and we actually contacted the Information Commissioner’s Office (ICO) directly and asked for clarification on particular areas. They came back with plain English answers which helped with contract lawyers and could also be applied to staff training.”
For example, says Marcroft, Hyve has laid out a contractual process for the ‘right to be forgotten.’ If we need to remove the data of someone on our marketing list, we have to be able to prove it. We have procedures in place for this as well as for when a customer comes to the end of their contract and says, ‘you have to remove us and prove you have done it’.”
He points out: “You need to be able to provide, for example, an audit log from a server to prove you deleted the information at a specific time.”
Hyve carries out two internal audits every month. Marcroft has introduced tests such as asking staff: “I would like my data removed from the system; tell me how you would do it.”
Withey says complying with GDPR as a pure colocation data center owner is “simple” if an organization is following the right controls. “If you undergo a strong risk assessment and good risk register that makes you check your physical controls, nothing can go wrong. Even if the electricity goes, we can just carry on. We have thought of every single eventuality.”
Eltjo Hofstee is the MD of Leaseweb UK, which operates 19 data centers in locations across Europe, Asia, Australia and North America. Among the changes following GDPR implementation, Hofstee says there has been customer demand to prove data jurisdiction. “In the past this wasn’t important for customers but now they want to know if it’s stored in the UK – and they need this to be proven.”
So, a year after GDPR came into force, data center owners are embracing the changes they need to make to their processes. But what does the future hold?
One highly contentious but interesting subject is Brexit: Many customers are asking data center owners how this will affect things as the UK prepares to leave the EU.
GDPR could have “a big impact” on UK data centers after Brexit, says David Friend, CEO and co-founder of Wasabi Technologies, which provides cloud storage on demand. “Data centers in the UK currently serving EU customers may find those tenants packing up and moving their storage to Amsterdam, Frankfurt, Nice, and other data center locations in the EU. Many have already done so,” he says.
But it should also be noted that the UK has put into place its own implementation of GDPR: The Data Protection Act 2018. This means GDPR will still “be alive and kicking after Brexit,” says Jocelyn Paulley, a partner at law firm Gowling WLG.
Security by design is key under GDPR and this has emphasized the need for data centers to prove their credentials to customers. For some, the regulation has even added additional revenue streams.
Six Degrees has had more requests from customers to dispose of unneeded data. “In the past when equipment came to the end of the lifecycle, it was deleted without anyone thinking about it - but now customers are leaning on us to get rid of it in a secure manner,” says Arnold.
“Hard drives fail, but now customers retain that disk and ask us to shred it as they don’t want the data to remain. This is driven by GDPR: customers don’t want to deal with it themselves and we are seeing 500 percent more hard drives being shredded.”