Tuesday, October 17, 2017

Winds of change: How the GDPR will affect the EU and the Irish digital hosting landscape

by Garry Connolly, founder and president of Host in Ireland

The digital hosting ecosystem in Ireland continues its rapid expansion, with global internet giants like Amazon, Google, Apple, Microsoft, Facebook and many more making large infrastructure investments throughout the nation.

While Ireland boasts an impressive pedigree of the leading hyperscales, the Irish data hosting sector is not limited to these web-scale organisations, but has become home for a multitude of small and medium-sized enterprises (SMEs) who are also availing of the rapid expansion of colocation, retail and wholesale options like Equinix, Digital Realty, Interxion, Keppel DC REIT, SunGard and DataPlex.

Given the advent of new submarine cable deployments linking Ireland to the U.S., in the past 12 months, companies are able to meet transatlantic capacity requirements while taking advantage of the benefits Ireland has to offer regarding the 5 Ps of digital assets hosting: Policy, People, Pedigree, Pipes and Power.

Against this backdrop, a major shift is currently underway throughout the European Union that will have a significant impact on hyperscale organizations and SMEs alike.

After four years of preparation and debate, the EU General Data Protection Regulation (GDPR) was approved by the EU Parliament in the spring of 2016, and will begin enforcement on May 25, 2018.

Data controllers hosting in the EU as well as those serving EU citizens must prepare for this massive shift in data privacy regulation, and early education is the first critical step.

Prepare or Be Penalised

The GDPR is the most significant change to data privacy regulation throughout the EU in 20 years. This new policy will replace the Data Protection Directive 95/46/EC, a data protection regulation adopted in 1995, and will seek to standardise data privacy laws across Europe, reshaping the way organisations approach data privacy.

Though many of the key principles outlined in the previous iteration remain relevant, the modern digital economy has evolved drastically over the past two decades, making it necessary to enact new policies that reflect current challenges.

A few of the key changes outlined in the GDPR include increased territorial scope, heavy penalties for non-compliance and strict rules for data processing consent.

GDPR will apply to all companies processing personal data of subjects residing in the EU regardless of the data controller’s location, and organisations in breach of the new policies will be fined up to four percent of annual global turnover or €20 million, whichever is greater.

As for consent, the GDPR outlines that terms and conditions must be given in an intelligible and easily accessible manner, as well as provide the purpose for data processing attached to the request.

This new regulation will put major emphasis on the rights of data subjects in an attempt to protect and empower all EU citizens. Some of the rights outlined in the GDPR include:

  • Breach notifications: According to this regulation, data subject must be notified of a security breach within 72 hours of its discovery. 
  • Right to access: GDPR policy states that data subjects have the right to obtain information regarding the processing of their personal data including its location and usage.
  • Right to be forgotten: Also known as “data erasure,” this right entitles subjects to have the controller delete personal data, cease further dissemination and halt third-party processing.
  • Data portability: According to new policies, data subjects will gain the right to receive personal data and transmit it to another location.
  • Privacy by design: Data protection measures must be included from the onset of system design and should not be adopted retroactively.
  • Data protection officers: The GDPR will enforce stricter internal record keeping requirements and will force controllers to submit notifications regarding data processing activities.

While the spring of 2018 may seem a long way off, it is important for data controllers serving businesses and individuals in the EU to educate themselves early in order to ensure compliance and avoid costly penalties.

Helen Dixon, Data Protection Commissioner for Ireland, has said that the GDPR will be a “wake up call” for Irish companies and other organizations who do not have privacy and data protection tools and teams already established. Here at Host in Ireland, we agree with that assessment.

Post-Brexit, Ireland will be the only native English speaking nation in the EU, will have the only common law-based legal structure and be one of only two nations with both a minister and a commissioner for data protection.

We take our responsibility as the ‘Digital Gateway to Europe’ for U.S. companies very seriously, as we have done for the past 60 years. And whilst we pride ourselves on being a pro-business environment, the rights of the individual should also always be protected.