Businesses have over a year before the EU’s General Data Protection Regulation (GDPR) goes into effect in May 2018, but experts say it’s not too early for cloud providers to start thinking about how they will comply.
In an interview with Talkin’ Cloud, Patrick Lastennet, Interxion’s director of marketing and business development, says that cloud providers should start evaluating their systems and processes now to ensure they protect data adequately under the new regulation. Interxion, a European provider of colocation services, is watching the issue closely as its clients turn to the company to provide compliance guidance.
GDPR, which will start being enforced on May 28, 2018, has a broader scope than the current 95/46/CE Directive, and will mean that more companies headquartered outside of the EU will have to comply with European data protection rules. A study released in July found that European businesses are still fairly unprepared for the new data privacy regulation.
Lastennet says that the scope of the new regulations is significant, and will impact cloud service providers of all sizes.
“It’s a big deal because we’ve moved at the European level from a directive to a regulation,” he says. “With a directive there’s some scope of interpretation by country and it’s not necessarily always punitive; here the regulation means the same law gets passed into every European country.”
“Another very important principle is that it places the burden of proof on the organizations, whereas previously individuals had to prove they’d been impacted by personal data misuse or breaches,” he says. “The organizations… need to essentially prove that they’ve done all the right things to protect the data.”
Under the GDPR, technical identifiers like IP addresses are considered personal data, which means cloud providers should look at their systems and review their processes around how this type of data is protected.
Brexit, and the political climate around the globe, may make data protection rules more complicated.
Data transfer outside of the EU is a “really hot topic,” Lastennet says. “You’re entitled to transfer data to countries which are adequate with European protection regulation and its gets a bit tricky…the process by which countries are deemed adequate is really at the discretion of the governments.”
“Whether the U.S. becomes adequate or not is largely depending on political forces interfering there,” he says.
Compliance with regulations such as GDPR is a key reason cloud providers have rolled out compute and storage within the EU.
“The trend started with Ireland and Amsterdam to a certain extent and then everyone went to Germany, which has got the strictest data protection rules,” he says. “Then we see all these cloud providers go to other areas like France and Spain, and also gateway cities like Vienna and Stockholm, as well as cloud providers deploying locally.”
“We’ve seen other European cloud providers argue that no matter what the data must reside in the country and I think that angle is not going to work because you don’t necessarily have to have all data localized within the country where it’s been sourced,” he says.
Cloud providers who take a more proactive approach to compliance will gain a competitive advantage, according to Lastennet.
“There is an opportunity for cloud providers who do the legwork with the regulation and tell the customers, ‘look, with me, you’ve got a one-stop shop,’” he says.
Other cloud providers such as Amazon Web Services or SoftLayer are offering encryption tools to their enterprise clients to help with compliance.
“Enterprises will typically use the cloud to run applications and store data, make sure that everything is encrypted within the cloud, but the management and the key custody is actually completely disassociated from that cloud environment,” Lastennet says.
In its own data centers, Interxion typically sees clients host a couple HSMs (device that protects encryption) in its data center and then use its Cloud Connect secure connectivity to connect back to their application in the public cloud.
Update: An earlier version of this article misidentified Interxion's customer City Network.