The issue of data privacy and sovereignty has dominated the news over the past year, as the member states of the European Union (EU) have individually and collectively taken a more proactive stance regarding the protection of personal information following the revelations made by Edward Snowden and an accelerating trend towards digital transformation of European services and enterprises.
Some countries including France and Germany have taken a more stringent and punitive stance, while others like the UK and Ireland have maintained a 'wait and see' attitude as more inclusive and business friendly regulatory frameworks such as the Data Privacy Shield continue to be refined.
Few, however, have left enterprises more perplexed than the European Global Data Protection Regulation (GDPR). According to a recent survey, over 80 percent of global IT and business professionals say they know few details or nothing about the GDPR, and less than one in three companies feel they are prepared for the regulation today (largely as a result of the discussion not filtering down from the C-Suite to the rest of the organization).
With penalties ranging from €20 million ($22 million) or 4 percent of worldwide revenue (depending on the severity of the infraction), the costs for non-compliance are too high for any business that currently operates or has future plans to do business in the EU to ignore.
Global businesses (or enterprises with global aspirations) need to take the following into consideration as they prepare for the May 2018 compliance deadline.
Colocation and the Cloud
Over the course of the last several months, we have seen several major corporations such as Amazon and Microsoft announce plans to establish new data centers and corporate offices in countries with more restrictive data privacy mandates including Germany, Belgium and France. Largely driven by current and impending in-country and EU data sovereignty regulation, they underscore the importance of determining the physical location of corporate/consumer data.
With the repeal of Safe Harbor and the efficacy of the current US/EU Privacy Shield framework being called into question, transmitting customer data across international borders has become an increasingly risky proposition for most enterprises, and for many the cost of building and maintaining data centers in one or more of these countries is cost prohibitive.
This is when companies should be thinking about how best to leverage the cloud and colocation to maintain compliance. For example, a U.S. based company can choose to keep their tokenized/encrypted data in the public cloud within any region, while maintaining the associated token data and encryption keys in a secure and physically auditable collocated environment in the EU.
This type of ‘co-located arbitrage’ is not only more cost effective, but it also helps to mitigate the risk of data being compromised by keeping these data elements separate from the decryption 'keys'. By collocating “key custody” close to the public cloud – within the same datacenters used by CSPs to host access points, it allows the enterprise to account for both the compliance and data performance needs of their customers.
A more recent trend that we've seen is Infrastructure as a Service (IaaS) providers offering 'bring/hold your own key' functionality to customers, ultimately making them responsible for managing the necessary keys to decrypting their own data.
There are multiple ways that companies can leverage the cloud and colocation to manage data for compliance, and the choice must ultimately come down to the partners and methodology that best align with your business goals.
Data Protection by Design
We also need to understand the fundamental differences between how U.S. and EU businesses approach data management and compliance. In the U.S., these practices tend to be very industry centric, with each having their own sets of rules, regulations and governing bodies to oversee enforcement. In Europe, the policies and concepts surrounding data management and privacy are much broader.
Data privacy is viewed as a basic human right, and as such the European courts can (and have) become involved in cases that are brought to them. With this fundamental difference in mind, enterprises looking to do business in Europe must begin integrating data protection and privacy into the corporate mindset.
From the data center to the boardroom, ensuring the privacy and security of both company and customer should be an intrinsic value that goes beyond the typical ‘tick the box’ mentality that traditional accompanies most compliance initiatives.
At the board level, this means empowering the Chief Data Officer (or CIO/CTO depending on the structure of your business) to establish data privacy management best practices and making them accountable for their enactment. This also means recognizing the challenge of bridging the legal aspects of the regulation from the technological implications.
At the data center level, doing so requires taking the necessary steps to ensure that customer data is managed appropriately, and using techniques like de-duplication, encryption and tokenization to make this data anonymous and separate from other information residing in your network.
By enacting a ‘data protection by design’ mindset now, companies can prepare for the onset of the GDPR while also accounting for future data privacy and compliance regulations.
(About the author: Patrick Lastennet is director of financial services at Interxion)