Around this time last year, US companies were scrambling to update their data privacy policies in the wake of the EU’s sweeping General Data Protection Regulation (GDPR) going into effect. Although the law applied specifically to EU citizens, it still had an impact on companies outside of Europe because many of them had customers in EU member states. Far more strict than data privacy standards in most countries, GDPR’s 2018 rollout was accompanied by a flurry of questions and concerns over how it could affect multinational businesses. After its first year of implementation, we’re assessing how the impact of GDPR in the US and around the world continues to affect data center operations.
One of the most significant data privacy laws ever implemented, the GDPR essentially established a new set of standards for the collection and processing of personally identifiable information gathered from people living in the EU. The law required companies to provide extensive data disclosures, notifying customers and website visitors when their data was being collected and securing their consent to do so.
In addition to providing notification and gaining consent, the law also redefined how data breaches were handled. Prior to GDPR, each EU member state had its own data breach laws, which could create some confusion as to who needed to be informed, and how quickly, when a breach was discovered. Under the GDPR, a single supervisory authority was designated in every EU member state to serve as the sole point of contact for any data protection issues. When a breach is discovered, an organization has 72 hours to report the breach to the relevant supervisory authority.
Failure to comply with GDPR data location requirements can result in serious fines. There are two tiers of administrative fines outlined under the law for non-compliance:
Although the law specifically addresses the data privacy rights of EU citizens, it also affects the companies that collect and utilize that data. Many US companies falsely assumed the law didn’t apply to them because they didn’t have offices or operations in Europe. The GDPR greatly expanded the legal definition of personally identifiable information to include not just names, addresses, and financial data, but also IP addresses, biometric data, and mobile device identifiers. Consequently, any website that used cookies to collect and track IP information without specifically informing visitors and gaining their consent could be in violation of the GDPR.
Since GDPR data location requirements aren’t restricted to data gathered within the EU, companies all over the world had to implement new policies and practices to comply with the law’s expansive definition of private data. While critics argued that the scope of the law would impose an excessive regulatory burden on companies, data privacy advocates countered that the law merely provided the protections customers should have had in the first place.
The first year of implementation saw a significant rise in reported data breaches in the EU compared to other parts of the world. A survey of C-level executives found that while 53 percent of respondents in the Americas and 44 percent of those in East Asia reported a breach, 74 percent of respondents in the EU and Africa did the same. In just the first eight months of the GDPR’s implementation, almost 60,000 breaches were reported across Europe, with the Netherlands, Germany, and the UK leading the way. The trend seems to be continuing in 2019, with the number of reported breaches for the first three months of 2019 up 56.4 percent compared to 2018.
Despite the increased reports, the total number of fines has remained surprisingly low in comparison. After the first nine months, the total amount of fines issued amounted to €55,955,871, which sounds impressive except for the fact that France’s €50 million fine against Google accounts for the vast majority of that sum. So while the GDPR has undoubtedly been a success when it comes to reporting data breaches, it has yet to demonstrate that its enforcement powers have the teeth that many of its critics once feared.
As Google would no doubt attest, US-based companies need to take GDPR guidelines seriously. There are a number of key criteria that determine whether or not a non-EU company needs to comply with the GDPR:
Since these criteria cover almost every type of business imaginable, it makes sense for every US-based company to operate under the assumption that GDPR guidelines will apply to it. The GDPR makes no distinctions between which company collects and which one manages the data, meaning that a vendor who fails to comply with regulations could cause the organization that hired them to pay a significant fine.
This last point is critical for data center customers. Thanks to SSAE 18 reporting standards, data centers are already required to take the compliance controls of their vendors into consideration when attesting to their own compliance status. As more companies make efforts to comply fully with GDPR guidelines, they can rest easy knowing that SSAE 18 compliant data centers are taking steps to ensure that their managed service provider (MSP) partners and other vendors are imposing the same rigorous compliance controls to protect valuable customer data.
The future impact of the GDPR in the US will also take the form of more rigorous data security standards at the state and national level. Shortly after the GDPR went into effect, California passed the California Consumer Privacy Act of 2018, which some critics are already calling the “California GDPR.” Although the legislation will not go into effect until January of 2020, its passage demonstrates that the GDPR is already having an impact on the way citizens view their personal information, which makes data centers committed to strong data security and availability more valuable than ever before.