Justin Jenkins, Chief Operating Officer, Next Generation Data
What impact will the General Data Protection Regulation (GDPR) have on owners, operators and users of colocation data centres?
The GDPR is concerned with the processing of personal data. It defines processing as collection, recording, organisation, structuring, storage, adaption and retrieval, erasure or destruction; all of which are pertinent to any infrastructure provider, operator or user.
In this case it will be applicable for both controllers and processors of personal data to both comply and evidence their accountability in complying with the GDPR. Evidencing that appropriate security is afforded to personal data is vital where services are shared between processors and controllers upon common platforms or infrastructure.
For those that have respected the Data Protection Act 98 then this will be a small step forwards. Where this is not the case then each respective entity will need to demonstrate and evidence their journey towards compliance, in understanding and recording the personal data being processed, applying appropriate security, both technically and organisationally, to the data, alongside adequate contractual arrangements and clear processes for such areas as breach notification and data subject rights.
The onus of the regulation is as much with a data processor as the data controller themselves, as both must evidence compliance, and work in partnership to ensure that compliance is achieved. Many of these aspects are considered best practice in the protection of data, though the ability to demonstrate accountability and the effectiveness of technical and organisational measures therein will prove difficult for many.
The ability to comply with the GDPR is not seen as a silver bullet to prevent all personal data breaches. It is about ensuring the lawfulness of processing and a clear focus on the protection of the rights and freedoms of the data subjects themselves. This can only be achieved through the consistent implementation of appropriate data protection practices in people, process and technology in accordance with the potential risk to the data subject.
A well implemented GDPR programme will ensure that data is protected by design, whilst also ensuring that such protection does not inhibit the processing activity itself. It is a clear balancing act between the necessity and value of processing and ensuring that risks to the data subject are minimised.