As data protection regulations continue to evolve and tighten in Europe, we wanted to spend some time helping prepare our clients for how to navigate the impending GDPR deadline later this spring.
Recapping the End of Safe Harbor
Safe Harbor refers to the set of principles developed between 1998 and 2000, which were designed to ensure the EU sufficient data security while maintaining open transport for data and commerce for the U.S. There were 7 principles outlined in this agreement that U.S. companies were required to comply with, and they included:
- Notice: The purpose behind data collection and usage must be fully disclosed.
- Choice: Opt-out opportunities must be provided to all individuals, and sensitive information must require an opt-in.
- Onward Transfer: All future data transfers must follow Safe Harbor Privacy Principles or another comparable directive.
- Security: Information must be adequately protected.
- Data Integrity: All personal data gathered must be relevant, and the data’s reliability should be verified.
- Access: If an individual’s personal information has been gathered, they must have the right to access and modify or remove inaccurate information.
- Enforcement: The compliance of these rules by each organization must be feasible – with sanctions readily available to be handed out to those who do not follow through on their data privacy commitments.
However, after the end of Safe Harbor caused by Max Schrem’s case against Facebook, the future of international data transfer was drastically changed. Companies wanting to send information from the U.S. now faced stricter data transport rules. Our Quick Guide to Understanding the Impending Changes to Safe Harbor explained what enterprises needed to do in order to navigate the end of Safe Harbor, including learning about regulatory guidelines, working with knowledgeable MSPs, and partnering with a telecom consultant to guide them through the process.
Moving on to GDPR
After the grace period for Safe Harbor was up, the act that was put into place was the General Data Protection Regulation, or GDPR. The main aim of this was to give control back to European citizens over their personal data, while also simplifying the regulatory environment for international businesses. The public opinion of data protection in Europe differs from that in the U.S. in that Europeans are more suspicious of digitization, and of the big organizations that are processing the huge amount of shareable data. This is one of the biggest reasons that cloud adoption is behind the curve in Europe. GDPR is aiming to remove this concern by enforcing the regulations, allowing Europe to catch-up.
GDPR becomes officially enforceable in May of 2018. When it does, all EU countries will have to comply to this same set of rules. One of the biggest aims of this new legislation is consent, meaning that it must be explicitly stated what data will be collected from users and what that data will be used for.
The biggest enterprises this new act will affect are U.S. companies who don’t have a base in the EU. They will be subject to significant fines if they don’t comply with the complex rules. To make things more complicated, the U.S. was not included on the small list of countries with “adequate security,” which would have given them fewer restrictions. The U.S. congress also had to concede to let Europeans sue U.S. agencies that misuse their data. Rules such as these will impact the way that U.S. enterprises can do business online in the EU, and our podcast goes over some of the ways in which they can prepare.
NEF’s Mike Murphy sat down with Patrick Lastennet, Director of Business Development and Strategy for Interxion’s Financial Services Segment, to help us understand some of the ins and outs of GDPR. When asked for his insights on what companies should be doing to prepare, the first thing he recommended was appointing someone to oversee data privacy and implement a program to show progress towards compliancy. Doing this will avoid potentially enormous fines, even if a company is not totally compliant by May of 2018. He also stressed that, while data transport is important, it will not be the only aspect of online business that needs to be reviewed in order to be compliant. Businesses must understand how their entire IT infrastructure is set up in order to completely follow the mandates set by GDPR.
The trend he’s seeing is that major cloud providers are distributing their customers’ content throughout Europe, as opposed to serving their customers through just one colo site. Patrick estimates that the biggest providers have a presence in all of the European capitals, which is considerably different than a few years ago. This means that if you need to reach the European markets effectively as an enterprise, you need to consider broadening your reach on the continent, as well as inspecting the colo or cloud providers for compliance and performance, and you need the right partners in order to do so. Interxion – a European colocation provider themselves – is seeing a big demand for service in gateway cities with subsea cables that will allow Europe to reach other continents and Central Europe. They are also seeing trends in deployment where customers are not so worried about which colocation site they will move to when their lease is up, but more what they need to migrate and which sites can offer them exactly what they want. In other words, there seems to be a move towards private, custom deployments that are altered instead of brand new deployments.
For more insights from Interxion on the new GDPR guidelines, listen to Mike Murphy’s full podcast interview with Patrick Lastennet. If you are a business concerned with complying to the new set of privacy regulations, or are interested in learning more about your international data storage options, contact NEF.