With the deadline for enforcement occurring in only seven months’ time, the General Data Protection Regulation (GDPR) is set to overhaul the way companies manage customer data from the European Union. With its wide-ranging effects on the understanding and handling of customer data, the regulation will certainly have an impact on the way information is collected and flows through businesses. In turn, this shift will influence the way data centres facilities are managed.
Sifting through personal data
In preparation for the regulation, some companies have already been auditing their customer data. In this, they need to make sure that whatever is on file is up-to-date and that any irrelevant data is kept to a minimum. In this vein, British pub chain Wetherspoon’s recently deleted their entire customer email database on the grounds that “The less customer information we have… then the less risk associated with data.”
Wetherspoon’s move to clean up its customer database is synonymous with one of the GDPR’s notable trademarks: The right to erasure or the right to be forgotten. According to this mandate, personal data must be deleted once it has served the purpose for which it was collected. And this does not just apply to data collected here on out. Even historical data collected years ago and left idle on company servers will need to be deleted. As a result, companies will need to sift through every bit of information carefully to make sure nothing is missed out of the GDPR clear-out/realignment.
Businesses which open new data centres in the EU must ensure that they comply with the local standards. In the past year, companies such as Talend, Equinix and Rackspace have all opened new data centres on European soil with the view to meet with growing demand in the continent. To match the new data protection requirements, these companies need to guarantee that their customers can access their personal data at any time of the day. In this, they need to maximise data centre availability and uptime with efficient management processes. Then, in the event of an incident, be it a power outage or a security breach, they must also be able to restore their customers’ personal data.
Keeping up with your assets
With so much information being removed or relocated, companies must make sure they are keeping a track of their data centre assets. Do they know if any logical or physical assets have been taken off the network? Has an asset been added on? In short, businesses must keep a close track of their facilities, identifying what has been brought online and what has been taken away. Otherwise, they risk gaping holes in their records which could translate to masses of wasted energy. Moreover, at a legal level, failure to demonstrate due diligence will make them liable to the huge fines demanded by the regulation.
Ignoring asset management during the GDPR overhaul could generate electrical and financial waste in the long term. If data centre managers do not pay close attention, they risk overlooking zombie servers lurking in their facilities. These are servers which run covertly in the background, taking up physical space, but not serving any real purpose to the company. These silent burdens generate unnecessary heat and burn through vast amounts of energy. As such, companies must be proactive to either re-activate them or shut them down depending on need.
Is your data processing safe?
According to article 32 of the GDPR, companies are required to ensure 'a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing [of data].' To most, ‘security’ here can refer to the need to defend against cyber criminals. However, to the data centre manager, ‘security’ will refer to protection against power outages, network disruptions and natural disasters as well.
In maintaining the security of their data centres, companies must ensure they meet or even exceed the necessary service level agreements. These make sure that the data centre’s key infrastructure elements and metrics, including uptime, availability and power, are of a high standard, mitigating the chances of power outages and downtime.
The location of the data centre is also a key factor in its security. A site which is vulnerable to natural disasters such floods and earthquakes should be avoided as it can have a huge impact on the businesses in the event of an unanticipated disaster. In addition, the facility must be in a place with abundant access to electricity now and for the long term, with lots of internet paths going to and from the complex. This will allow customers and stakeholders to access data at any time, whenever it is needed, without the worry of a power outage.
Now is the time to act
A lot has been said about the changes GDPR will bring to security and data governance. However, when it comes to data centres, information technology asset management (ITAM) managers will play a crucial role. They need to know what devices are deployed where they are and what software they can access. They need to demonstrate to their customers and to the authorities that they have full control over the processing of their personal data. Otherwise, when the compliance officers come for a check-up, or, worse still, in the event of a breach, businesses will need to pay the fines of up to 4 per cent of their annual global turnover or €20 million.
The regulatory fines of GDPR come into full effect in only a few months’ time. As such, companies will need to review their data governance practices now or potentially face the consequences. Not only does this mean sorting out data governance processes, it also means protecting their data centres at a DCIM-level to ensure that the processing of personal data is done safely and securely. This means keeping a track of their assets, both virtual and physical, reducing the risk of power outages and maximising the uptime of their facilities to allow customer access at any time.
Mark Gaydos, CMO, Nlyte Software
Image source: Shutterstock/Wright Studio