On May 28th, the EU will introduce strict new privacy laws. The GDPR (EU General Data Protection Regulation) is intended to increase privacy protection for everyone in the EU, including non-citizens who travel to EU countries. Because the new regulations are so much stricter than the previous EU privacy regime, it’s almost certain that US colocation clients have some work to do before the end of May if they aren’t already prepared.
If you’re wondering why US-based colocation clients should care about the GDPR, the answer is that they don’t have to, unless they do business in the EU that involves processing and storing the personal data of EU citizens. The penalties for non-compliance are stiff, with fines of up to €20,000,000 (around $24,600,000) or 4 % of annual turnover.
It’s expected that EU data protection organizations will zealously enforce the GDPR, although the exact mechanisms of enforcement aren’t entirely clear at the moment.
If you collect, process, or store data from the EU on your colocated hardware, your business is liable if it doesn’t comply with the GDPR. Unlike previous privacy regulations, that includes both controllers, companies that collect and “own” the data, and processors, companies that do something with data on behalf of a third party. In essence, if the data of EU citizens touches your servers, the GDPR applies.
As a side note, even though the UK will be leaving the EU in the near future, its government has signaled their intention to introduce national laws that are compatible with the GDPR: it’s likely that US colocation clients will have to conform to the rules of the GDPR even if they only do business in the UK.
What does GDPR compliance require?
The GDPR itself is a lengthy document, so you or your lawyer should give it a close examination, but, in a nutshell, the GDPR is all about transferring the control of personal data from the businesses that collect it to the individuals it concerns. The GDPR covers any data that might be used to identify an individual, which includes names, addresses, images, IP addresses, credit card details, localization data, and more.
The main points of the GDPR concern consent, access, deletion, and breach disclosure.
Breach disclosure. If you suffer a data breach that leads to the exposure of protected data, you are obligated to inform those affected within 72 hours.
Access. EU citizens have the right to access any personal data stored by a company on request. Additionally, they also have the right to take that data and give it to anyone they want.
Consent. Businesses must ask for consent before collecting personal data, and they must disclose exactly how that data will be used in advance. It’s no longer enough to have a long and vague privacy policy full of generalizations about how data will be used: people have to know what they’re agreeing to.
Deletion. Under right-to-be-forgotten regulations, EU citizens can request the deletion of any identifying information.
Preparing For GDPR
Any colocation client that does business in the EU should already be prepared. If not, you have only a couple of months to put measures in place. At a minimum carry out a comprehensive data survey: if you’re storing the data of EU residents, you need to know about where it’s stored and what the risks are.
It’s likely that your current privacy policies and consent processes are inadequate, In particular, you must provide a clear indication of what you intend to do with the data you collect at the point of data collection. Don’t automatically opt users into data collection. Any opt-in user interface elements must not be in the opt-in state by default, so no pre-checked opt-ins for data collection.
Implement user interfaces and processes that allow users to request and gain access to personal data. It’s likely that this will be one of the most onerous requirements for businesses with a lot of data.
If your business isn’t already prepared for GDPR, you don’t have much time left to do the necessary work. The May 28th deadline is almost here.