Organizations around the world are focused on May 25th, the date that the European Union (EU) General Data Protection Regulation (GDPR), goes into effect. The GDPR mandates strict protections for the personal data of anyone living in the EU. Any organization that processes or stores such data must comply with these new rules.
A March 2018 survey conducted by Opinion Matters suggests that few organizations will meet the GDPR deadline. Two-thirds of IT decision-makers said their organizations may not be prepared, and 35 percent worry that the financial penalties for noncompliance — up to 4 percent of annual revenue — could threaten their very existence.
In some respects, the GDPR is similar to other data protection regulations in that it requires technical controls for ensuring data security and privacy, and notification of impacted individuals should a data breach occur. Taken as a whole, however, the GDPR is far broader in scope than other regulatory requirements. U.S. businesses in particular are being forced to rethink their data management practices and even the location of their data centers.
For one thing, the GDPR gives individual data subjects substantial control over their personal information. Organizations must be prepared to give individuals access to their data, and to explain clearly and in plain language how they are using the information, how long the data will be retained and who it will be shared with. Individuals have the right to correct any inaccuracies, to object to certain data processing activities, and to request that their data be erased (the “right to be forgotten”). While there are certain limitations on these rights, organizations generally must comply with such requests within one month.
In order to meet these requirements, organizations will need to know where all of the data related to an individual is stored and be able to access it quickly. However, only 39 percent of organizations surveyed by Opinion Matters said they’re confident they know where their data is stored.
The geographic location of data matters under the GDPR, which prefers that data be stored and processed within one of the 28 EU countries. Data can be transferred freely among those countries as well as Iceland, Liechtenstein and Norway (part of the European Economic Area) and 11 other countries that have been deemed to have an “adequate” level of data protection. Note that the U.S. is not among those countries, although U.S. organizations can facilitate the transfer of EU data by participating in the EU-US Privacy Shield program.
Given the complexity of the rules and the high financial stakes, many U.S. organizations are opting to store their data in EU data centers. Many cloud service providers are looking at EU data centers as well. However, service providers and customers alike will need to carefully manage traffic flows and the location of cloud gateways. Data can flow between entities under contract, binding corporate rules, codes of conduct and certification schemes, but these must be approved by the appropriate supervisory authority.
As the deadline for compliance looms, the GDPR is having a broad impact on data center decision-making. Rahi Systems has the expertise and global footprint to help you navigate these decisions and work toward meeting GDPR mandates.
Join us for a Webinar on April 18th to learn more about how GDPR will affect your business. REGISTER NOW