GDPR Is Coming Soon. Will You Be Ready?

Peter Waters

Whether you’re well aware of the GDPR, or whether you know it only as an odd acronym that’s continuously popping up in your news feeds, it’s a very big deal.

GDPR is the EU’s General Data Protection Regulation, and it will affect any business that offers goods or services in connection with EU citizens or handles their personal data in some way. In the digital age, that could encompass enterprises anywhere. The new regulation is built on some familiar privacy principles, but UK Information Commissioner Elizabeth Denham warns, “Make no mistake, this one is a game-changer for everyone.”

The law aims to unify a patchwork of EU-based data protection laws, as well as replace the sometimes pro forma and unevenly enforced approach of the current laws and regulations with more substantive requirements and much stricter penalties for non-compliance. Enterprises may be fined up to $20 million or 4% of their annual global revenues for violating GDPR. This new regulatory approach to data privacy is designed to have serious teeth, and with it comes complex and costly compliance requirements for enterprises.

GDPR passed the EU Parliament in April 2016, and it goes into effect at the end of May this year. Enterprises everywhere are in the middle of figuring out its implications. At Equinix, we know there are lots of questions, and we have prepared some answers to highlight how Equinix is approaching its own GDPR compliance and how we can help customers and partners be ready when GDPR is enacted.

Why is GDPR emerging now?

Data privacy and protection regulations have long been on the books in Europe, but the laws were enforced inconsistently and tended to vary across countries, which created complications for companies operating both intra-regionally and internationally and looking to structure themselves that way. A move to create a standardized data privacy regime across the EU was one of the policy goals behind GDPR. To some degree, its creation coincided with an increasing concern in the EU around the protection of personal data privacy after revelations about spying by the U.S. National Security Agency, which included data-mining of European individuals and groups. This added weight to those pushing for more uniform, but stronger, protections for EU citizens anywhere in the world.

What is the central tenet of GDPR?

GDPR’s core principle is that people have the right to know and control what’s happening with their personal data. They should also be assured it is going to be handled with care and protected by the highest standards possible. And if their personal data is going to be passed on to third parties, they should be aware of it and be able impact who handles it, what’s passed on, and how it’s passed on and used by third parties. These are not new principles, but GDPR pushes way past the current approach to demand more transparency and accountability around data security parameters to make sure they are upheld and to raise the stakes for non-compliance.

What are some key challenges for companies looking to incorporate the GDPR?

In an era of cloud computing, when data can be moved anywhere in an instant, the key question is whether it’s really possible to always know what’s happening with a person’s personal data at every moment. This is a tough ask for companies, particularly in conjunction with industry trends around cloud services adoption, but companies must find a means to meet the requirement. Cloud services providers are responding to that challenge in several ways, and Equinix, with its state-of-the-art data centers and global footprint, has a role to play in the solutions being developed and offered by cloud service providers to enterprises.

How should companies approach GDPR compliance?

The principles set out in GDPR are prescribed at a fairly high level. This, combined with the fact that compliance is rarely black and white, means enterprises must interpret what those GDPR requirements mean for them, and do their own risk assessment and analysis. For instance, a company that doesn’t process a lot of personal data may decide a “silver” level upgrade of current policies will cover them on the off-chance they’re targeted by regulators usually after bigger fish. But another company in the same space may go for a “gold” upgrade because the reputational and financial risks of running afoul of regulators are just too great for their brand. In all cases, a company’s supply chain is key, and must be part of their risk assessment, whether they rely on cloud-based applications as part of their IT infrastructure or more traditional vendor relationships, such as outsourcing payroll or customer care and service capabilities.

What can Equinix do for companies working to comply with GDPR?

We recently established a Privacy Office at Equinix to help us coordinate our own data privacy matters in a comprehensive and consistent way and support our customers on their own journey towards GDPR compliance. Our core strengths position us particularly well to help enterprises navigate a key part of this new compliance landscape:

  • Industry-leading security keeps data safe: Physical security is an integral part of data security, and making sure that the servers that contain customer data (including personal data) are secure aligns with GDPR requirements to ensure data is protected by the highest possible standards. Equinix excels at physical security, and we take the same robust approach to the physical security parameters that apply to services like the Equinix Cloud Exchange Fabric, which is built on Equinix infrastructure.
  • Data proximity keeps customer data close: It is important to be clear that GDPR itself does not mandate that personal data stay close to its users, and it does not forbid the transfer of personal data. But the principle of keeping personal data close and “local” is definitely a data-privacy friendly proposition, and it reduces the burden of GDPR compliance on enterprises that handle EU citizen data. Customers and end users want assurances that they can know and control where their data is, and that’s easier to give when it’s close by. Equinix’s global interconnection platform includes 65 data centers in 13 countries in EMEA, so Equinix and services like Data Hub, which are provided in conjunction with third-party partners, can place enterprises and the personal data they handle near their end users almost anywhere.
  • Expertise keeps your compliance strategy on track: Equinix’s Global Solutions Architects (GSAs) know the ins-and-outs of GDPR. They can advise clients now on how to design their IT infrastructure to get ahead of GDPR and how best to meet its requirements after it goes into effect, including options for data residency and delivery.

Watch this video to learn more about physical security at Equinix.

Peter Waters Vice President, Legal at Equinix