If you are handling the personal data of EU residents, then you need to take GDPR very seriously. This means that if you are looking at colocation, you need a vendor that can manage GDPR colocation. Here is a quick guide on what you need to know about GDPR colocation.
The basics of GDPR
GDPR stands for General Data Protection Regulation. GDPR rules apply to the data of all EU residents in all circumstances. This includes EU residents who are nationals of another country. The rules apply to all of their personal data, no matter where in the world that data is stored or processed.
For example, if a US citizen is ordinarily resident in the EU, then they are covered by GDPR even if their data never actually touches the EU. For example, if they go home on vacation and hand their data to a US company, it is still covered by GDPR.
The EU has agreements with governments around the world that make GDPR enforceable internationally. Additionally, the EU requires all organizations that handle the data of EU residents to have an authorized representative in the EU. This is essentially a person who takes responsibility for ensuring that the organization they represent complies with GDPR.
Penalties for non-compliance with GDPR can be severe. In fact, technically, they can include prison sentences. Realistically, fines are far more likely. These are, however, set high enough to be a significant deterrent to non-compliance (or motivation to comply). Under current rules, they can be up to 17 million euros, or 4% of a company’s global turnover of the preceding fiscal year, whichever is higher.
The basics of colocation
Pure colocation is when an organization rents space in a third-party data center where it houses equipment it owns and manages itself. In the real world, however, colocation vendors often provide other services (e.g. they can act as managed service providers). This can have implications for compliance programs in general and GDPR in particular.
The basics of GDPR colocation
At a very basic level, GDPR colocation works much the same way as any other form of secure colocation. In other words, the sort of measures that will ensure any organization complies with programs such as HIPAA, FISMA, and CMMC are the sort of measures that will ensure compliance with GDPR.
At the same time, however, GDPR has a very specific legal framework that anyone involved needs to be sure they understand. In the context of GDPR colocation, the key point is that GDPR draws a distinction between data processors and data controllers. As the names suggest, a data processor processes data in some way. A data controller “determines the purposes and means of personal data processing.”
At first glance, it may appear that colocation providers are exempt from GDPR because they just provide infrastructure. This may be true in some cases but GDPR colocation providers usually are considered data controllers. They are generally considered to provide “the purposes, conditions, and means of the processing of personal data.”
If the GDPR colocation provider offers any sort of add-on services, then it may well become a data processor. For example, if their support package means that they may have to reboot your servers, then they become data processors.
The practicalities of GDPR colocation
In the real world, GDPR colocation essentially boils down to two main factors. These are physical security and robust policies and procedures.
The need for physical security is self-evident. There is no point in implementing the world’s most advanced digital security controls if somebody can just walk right in and steal a server. The client has overall responsibility for protecting their data. This means they need to ensure that any GDPR colocation vendor they use is implementing rigorous security.
They also need to ensure that they are still taking appropriate steps to ensure the physical security of their area within the data center. This means, firstly, ensuring that it can only be accessed by authorized personnel. Secondly, ensuring that all team members are appropriately vetted before they are given access to the area.
If a client is using a managed service provider, then the client needs to ensure that the MSP is vetting their staff appropriately.
Robust policies and procedures
Having robust, written policies and procedures is generally a key part of complying with any data-security program and GDPR is no exception. As with most data-security compliance programs, GDPR operates on the premise that all data must be collected, processed, and stored mindfully.
It can be very helpful to look for a GDPR colocation vendor with demonstrable credentials (e.g. ISO 27001). Just keep in mind that having these credentials is not enough, on its own, to demonstrate compliance with GDPR.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.