The European Union General Data Protection Regulation (GDPR) will come into effect next month. And while majority of the focus has been on what will happen if companies fail to comply, over half a billion people stand to benefit from the new regulations, which put personal data collection and protection practices of organizations worldwide under the microscope.
The question is, how will compliance with the GDPR impact the data center industry?
The Purpose of the GDPR
In an increasingly open and social world, the need to protect data has become paramount. While the internet, tech advances and the demand for data have altered the way we live, it has come at a cost, perhaps the largest of all being privacy (read our latest blog post on Worldwide Data Security).
The regulations, approved in April 2016 and to be enacted on 25 May 2018, aim to give consumers control over the personal data that is collected by companies. The GDPR, which protects data and privacy for individuals within the European Union (EU), seeks to update data protection for the 21st century, where consumers are required to share their personal information in exchange for services.
Importantly, despite this being European legislation, the GDPR affects companies based outside the EU if they offer goods or services to, or monitor the behavior of people located within the EU.
The main areas the GDPR focus on include conditions of consent, how data is stored, minimization of data collection and storage, notification of data breaches and how consumers can access or erase their retained personal data.
A mandatory breach notification requirement of 72 hours will also come into effect where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. With a recent survey finding that 70% of consumers would leave a business following a data breach, it’s in an organization’s best interest to take privacy and data protection seriously.
In order to encourage trust, consumers need to feel their privacy is protected which in turn, gives them the confidence needed to utilize technology to its full potential.
While analysts say that the adoption of the GDPR is moving ahead as expected, research has shown that many small to mid-sized businesses (SMBs) are not ready.
Alarmingly, more than 20% of small businesses in some parts of Europe are not even aware of the GDPR, and for those outside of Europe, almost half are unaware.
While mid-sized businesses show more understanding, almost half of European SMBs are yet to take compliance action.
Outside of Europe, the numbers improve with 38% of small businesses and 55% of mid-sized businesses already compliant. Interestingly, one third of SMBs in Europe and half of non-European SMBs indicated that have zero plans to comply with the GDPR.
Being so close to the deadline for compliance with the regulations, these levels of unpreparedness (and unwillingness to do so) are significant.
GDPR and the Data Center Industry
The GDPR will affect organizations across all industries and require acceptance from many disciplines (this is not an “IT issue”). A cultural change is needed as the GDPR affects anyone who processes, handles and protects personal data for EU citizens (that’s 511.5 million people).
In particular, how and where the data is obtained from, how it’s used, how it’s stored and who it’s passed onto.
The point of storage is an important one in the GDPR discussion. Whilst consumers are expected to trust enterprises to protect their privacy, organizations must also trust third parties to protect them against a GDPR compliance breach.
From cloud providers, to marketing systems, tools and CRMs, to the very data center that promises to securely store the personal data of enterprise customers. The high penalties are sure to have many organizations closely reviewing and subsequently changing their preferred suppliers.
With the looming threat of fines up to 4% of worldwide revenue or up to 20 million Euros (whichever is higher), the GDPR should be top-of-mind right now for the legal, marketing, sales, HR and IT departments of organizations worldwide.
Doom and gloom aside, GDPR compliance could become a selling point for those savvy (and highly secure) data centers located in Europe or theEuropean Economic Area (EEA). We are already seeing enterprises choose to colocate in or build data centers in certain locations based on ease of compliance with the GDPR.
So Where to From Here?
The ability to ensure GDPR compliance and protection of consumers’ information is of critical importance going forward. Therefore, when it comes to considering where to store customer data, there are a number of markets that stand to benefit from the GDPR regulation, specifically the EU member states.
Considered the financial powerhouses of the EU, Germany and France are continuing to expand their data center footprint. Facilities in both countries will offer enterprise customers reassurance of their compliance with the new GDPR regulations, particularly cross-border processing.
An EEA member, Norway has conveniently released an ambitious data center investment plan just three months before the GDPR will take effect. The strategy is to position the country as a competitive “data center nation” in Europe. The detailed plan includes regulatory and tax-based government support to encourage more large-scale data center operators to the country.
Described as the “emerald bridge” between the United States and Europe, Ireland is the fastest-growing economy in the Eurozone. Complementing its importance as a gateway to Europe, the country also has a highly-desirable tech-savvy workforce, generous corporate tax incentives, and an energy supply that is both cheap and sustainable.
And now, thanks to the GDPR, Ireland ticks another important box when it comes to data center investment. The country will be unaffected by the restrictions on the transnational transfer of data on EU citizens given transfers can occur among any of the 28 EU member states.
Tech Leaders Make Their Move
For Facebook, while a series of privacy changes were already being rolled out, the GDPR has now forced the company to be even more stringent, changing the way the organization collects, handles and sells information.
Slack on the other hand has been vocal in achieving internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud). The enterprise communication platform is also currently investing in security infrastructure and looking to offer products that include new tools for data management and security.
Finally, Zendesk has advised its 100,000 customers that they can now choose the region in which certain service data is stored – for a fee. Customers can select either the United States, Asia Pacific or the European Union as their hosting location by purchasing the Data Center Locality Add-On.
There is no disputing the fact that today’s day-to-day landscape is heavily reliant on the transfer of data. As we immerse our lives even further in a digital world, the protection of privacy will be crucial and top-of-mind for consumers. By reinforcing the rights of individuals to privacy, the GDPR is most definitely a positive move in instilling consumer trust now and into the future.
Interested in taking a look at data centers in Europe? Our market page covers the United Kingdom, Ireland, Germany, France, the Netherlands and more.