Eric Boonstra, Managing Director, EvoSwitch
Data Protection is set to be one of this year’s main headaches. This month has seen announcements about both the new GDPR (General Data Protection Regulation) in the EU and Privacy Shield agreement with the US, so progress is being made. However for CTOs/CIOs on both sides of the Atlantic this means more new processes and potential shifts in strategy in an unsettled environment where there are no guarantees that today’s political agreements will turn into hard and fast law.
New Regulation, New Responsibilities
Following six years of discussion and debate a draft of the new EU General Data Protection Regulation has been released. The new Regulation, set to become law in 2018, will replace the Data Protection Directive (DPD), but there are still many questions around implementation and interpretation. Responsibility for data protection has been extended from data controllers to data processors and now includes businesses with no physical infrastructure in the EU that nevertheless do business here. There are strict new regulations on, among other things;
Data collection/consent, classification, disclosure and documentation.
Individual data protection; at collection, during migration (‘right to data portability’, and thereafter (time limits to holding data and ‘right to be forgotten’)
Notification regarding data loss or security incidents (‘right to know when you are hacked’)
With fines for breaches of up to 4% of global annual turnover (or €20 million, whichever is higher), you don’t want to run the risk of non-compliance when the regulation launches.
EU-US Privacy Shield: Political Progress
Companies are also watching with some anxiety as the tug of war between US and EU data protection standards continues. This month saw the provisional announcement of the new EU-US Privacy Shield agreement. The new agreement promises to enforce more ‘robust obligations’ on firms with access to personal data, with safeguards and transparency on US government access and a new ombudsman to handle user complaints. However, as with the defunct Safe Harbor agreement which it replaces, the new agreement could be overturned in the EU by both the CJEU (The European Court of Justice), or by individual national Data Protection Authorities.
Infrastructure Impacts: Securing your Clouds
From an infrastructure perspective, providers like EvoSwitch can offer a mix of solutions to support our customers’ data protection needs as they change. With constantly expanding colocation space in both the EU and the US that meets the most exacting international security standards, secure data storage in the appropriate geography is not an issue. For companies looking for a hybrid solution, the new focus in the regulation on the data ‘processor’ rather than data ‘controller’ is good news, as it shifts some responsibility for data handling and documentation to Cloud Service Providers (CSPs), and many CSPs are already well positioned to address the regulations through a mix of best practice and certifications.
Choose your Clouds Wisely
Choice is key here to ensure your CSPs are not only compliant but sufficiently agile to adapt to a regulatory environment that is still evolving. This is something which, with some 25 CSPs including all the major public cloud providers, the EvoSwitch OpenCloud delivers. The broad ecosystem we offer will avoid vendor lock-in, giving you strategic flexibility well beyond the start date for the GDPR, and enables you to leverage Public Cloud for less latency-sensitive data or applications, while keeping other data in a Private Cloud, for compliancy or latency purposes.
For more information and to request access, please visit https://opencloud.evoswitch.com
Short analysis by 451 of EU-US Privacy Shield Agreement: Download the full report here.
Summary of Draft EU Data Protection Regulation by 451: Download the full report here.
European Commission press release on EU-US Privacy Shield read here.
Two-page Article from Forbes on Privacy Shield Timeframe & Conditions by Lisa Brownlee here.