Data regulation is a key consideration when planning where to host, store and process data. There are no unified global data regulations for businesses to adhere to. The regulatory landscape is regional and highly fragmented.
While some nations agree on a common set of data regulations (such as the European Union’s General Data Protection Regulation), others develop their own set of regulations. Some nations have no regulations to speak of and are starting to create them now – while others prefer not to regulate businesses too much. There are also countries that advocate for data sovereignty and discourage (or even ban) businesses from processing their citizens’ data outside of their borders.
This regulatory landscape forces global businesses to either choose to navigate multiple countries’ regulations at a national level, or to work with a global data centre provider that specialises in operating within the fragmented regulatory environment.
Key considerations for global businesses
According to the IAPP, many businesses see regulation as a critical factor when deciding where to locate their data centres. Location has always been a key issue for data centres, but data regulation concerns add an extra layer of complexity to the decision.
A country may have an attractive tax rate and locating operations there may mean lower latency, but if it also has complicated regulations businesses may think twice about building a data centre there.
Businesses need to factor in the impact of several key factors when making their decisions on data centre location and management.
1. Managing the effects of GDPR
With the EU estimating that the value of its citizen’s personal data will be one trillion euros by 2020, it’s no surprise that it’s using GDPR to control how businesses use and process data.
GDPR has expanded the definition of personal data to include IP addresses, it’s also given businesses operating both within and outside the EU (but which has EU customers) clear guidelines on what is and is not acceptable data processing and control practice.
Businesses must be able to prove that they are processing data lawfully. They must have explicit permission of the individual every time they use the data (unless it’s for a specific national security or law enforcement reason). Businesses must only keep data for as long as it’s needed and hold the data securely. Data breaches must be reported within 72 hours of discovery, or the business will face a potentially massive fine (up to 2% of global annual turnover). They must also provide a way to delete and transfer an individual’s data upon request.
Now that GDPR has come into force, businesses are still struggling with what they need to do to comply. The European Institute in Florence is training Claudette, an artificial intelligence tool, to analyse the terms and conditions the fourteen largest technology firms (included Facebook and Google). It found that many of the businesses were still using unclear language and were providing “insufficient” information to their users.
Businesses need clarity of communication with customers. They have to guarantee access to data 24/7/365 by ensuring a high level of uptime and availability. The data centre needs backup systems, and client data must be restorable and traceable. To do this, data centre managers need a proper asset management process.
Under GDPR, it’s more important than ever that businesses get the right data centre provider in place.
2. Respecting data sovereignty laws
Global businesses also find themselves having to deal with data management in nations that have stringent data sovereignty regulation.
For example, businesses operating in France are encouraged to store and process data within French borders, but other nations have much more stringent data sovereignty laws. China’s 2017 cybersecurity law is designed to protect Chinese data from foreign governments and compels businesses to store data relating to Chinese citizens on servers based in China. Russia requires all personal data collected from and about Russian citizens to be processed and stored on servers based in Russia.
Any global data centre provider needs to know the regional regulatory environment well to ensure that their clients can offer the best possible service to their own customers. They should be able to work with businesses to store and process their data with their national legislation in mind.
3. Working in a country with little data regulation
Global businesses also have to operate in countries that opt for light-touch data regulation (or they choose not to regulate at all). For example, the United States doesn’t have an overarching data protection framework. The regulations that are in place vary state-by-state, with national laws focusing on specific sectors.
There are demands for a national data protection law – especially after massive data breaches like Equifax in 2017 – but many see regulations as restrictive.
While there are demands for a national data protection regulation, there is also considerable resistance. In 2018, KPMG found that tech leaders cited restrictive regulation as the main barrier to innovation.
Global businesses that operate in America can’t be complacent about regulation; they need to be familiar with State legislation that may affect data centre management.
Many other countries are in the process of developing regulation, so businesses working in these areas need to keep an eye on possible changes that may impact their operations.
Data centres power the digital economy, but the businesses that use them need to be able to navigate the complex system of regulations if they’re to minimise risk and maximise data centre efficiency. The best way to do this is by working with a global data centre provider that’s flexible enough to meet diverse regulatory requirements and strategic enough to have contingency plans in place to minimise client disruption.
To find out more about this topic, read our brand new white paper ‘Data Centre Outlook’
Blog Post Author: