Unless you’ve been living under a rock, you’ll at the very least know the basics of the General Data Protection Regulation (GDPR) which came into force on 25th May.
GDPR requires all companies processing personal data of EU citizens anywhere in the world to assess their security protocols in relation to data sovereignty and evaluate their compliance across their own business and their entire supply chain that process personal data. How personal data is stored is now of paramount importance with severe repercussions for those not adhering to GDPR.
It represents a new dawn in data privacy and protection – but it is very much the beginning of the debate, rather than the end. So what can we expect to see happen to data privacy laws and practices in the years to come?
Taking back control
In the immediate future, we’ll see a period of alignment as businesses in Europe or providing goods or services to EU citizens complete or optimise implementation measures and get to grips with the new regulations. And we will see how the EU and local regulators start to enforce these new regulations, with no doubt some looking for some high-profile scalps and some headlines to match. Organisations not complying may be liable for penalties equating to up to €20m or 4% of a company’s annual turnover, whichever is highest – so the consequences of any non-compliance or major mistakes being made in implementation may be extremely costly.
In the longer term though, even without the big stick from the EU, we will also start to see a real mindset shift occurring around personal data privacy, with both companies and the public thinking more about the implications of the explosion of data we’ve experienced in recent years. Although some have seen it as a tiresome process, the concept of GDPR is ultimately to make people aware of what is going on with their personal data and put legal structures in place to protect people’s rights online. Many have commented with the flurry of recent GDPR related emails that they did not even know how many companies had been retaining their personal data in some database, and that is the point.
Everyone from members of the public to legislators want to know that the personal data leaving their laptop or phone is treated with the same respect as any other currency. In the past, we’ve happily ticked a box to give access to our data with no real understanding of what it will be used for. GDPR is elevating the protection of personal data to a place more fitting of its critical importance, but against a background of understanding that high volumes of personal data are moving around the world every second and will continue to do so.
Setting up the next steps
The question GDPR is really asking companies is whether they are properly managing the personal data that’s been entrusted to them, and can they demonstrate that they have put the appropriate systems and processes in place? In the era of cloud computing and IoT, data is constantly flowing from one end user to another making it that much harder for businesses to ensure with full confidence and transparency the security of data.
The data centre industry has assumed a key role and responsibility in helping customers wrestling with this issue. Equinix is a multi-billion-dollar company but unlike most firms our size and most of our customer base, we obtain and manage very little personal data – we’re a major multinational with the personal data footprint of a virtual corner shop. But much of the personal data in the world passes through the servers in our data centres, and that makes us motivated and well placed to understand how to interpret and navigate GDPR for ourselves and our customers. That’s why we set up the Equinix Privacy Office as part of our GDPR compliance program. Our team of subject matter experts have helped customers understand their obligations as ‘controllers’ or “processors” of personal data, advised on contract negotiations on data privacy assurance and ensured vendors are upholding and adhering to the same best practice standards that GDPR demands, as well as next steps.
What does the future hold for GDPR?
GDPR has only just launched in the EU and is still in the early days so it is difficult to predict the short term impact it will have on data privacy, let alone longer term. Industry has made their best guess of what GDPR requires of them, and the response of EU regulators to enforcement will be key. However, GDPR has been making waves around the world, so it will be interesting to see whether we see further industry convergence and global standards around the currency of data in our digital economy emerge, as was the case with other global issues like climate change at the end of the 2000s.
More countries are legislating in this area than ever before. In the years to come, will a regional regulation become subsumed into an international one? If all data is global, should some part of the UN or some similar sort of body have control of data regulation, including personal data? Should countries cede more control to multi-laterals or a yet-to-be formed government-industry body with worldwide jurisdiction? It’s probable that major regional political groups wouldn’t want to cede power, and it’s certain that many countries wouldn’t want to play ball. But with a definite shift in public opinion over data privacy underway, there’s no doubt the idea is already being played with by various decision-makers – any business that wants to understand GDPR end-game needs to be thinking about this eventuality too.
Peter Waters is Privacy Officer and Vice-President of Legal at Equinix
Image Credit: Wright Studio / Shutterstock