When the General Data Protection Regulation (GDPR) came into force in May 2018, it brought big changes to the way we gather and store information. It also brought the opportunity to be fined up to 20 million Euros or four percent of annual global revenues, for non-compliance.
Data protection law applies to every organisation from large corporates to sole traders, and whether you employ thousands of people or none.
The Information Commissioner’s Office (ICO) recently highlighted some big fines for organisations that failed to adhere to the law. Topping the list was British Airways, which was fined £20million for failing to protect the personal and financial details of more than 400,000 customers. In second place was Marriott International with a fine of £18.4million for failing to keep the personal data of 339m of its customers safe.
Do you know where your data is held, and who controls it?
GDPR affects the management of data centres, since the operators own the physical environment where data is stored, and can be both ‘controllers’ and ‘processors’ under the regulation. It is essential that your data centre partner is compliant, particularly if your organisation runs on a private, public or hybrid cloud infrastructure. Since GDPR came into force, visitors to our £4m Tier 3 data centre have rightly been keen to ask about data privacy, as well as traditional questions around connectivity, physical and cyber security, power, cooling, and access.
Your data centre partner should be able to demonstrate appropriate management processes in identifying their data, specifically personally identifiable information, and having polices and processes in place for the right to forget, the right to alter, and data security. Operators need to show they know what devices they hold, what level of control they have over them, where they are located, and what information those devices can access. They should also be able to demonstrate that in the event of any kind of interruption, they have the ability to quickly and smoothly restore data.
Essentially they are pledging that they have granular level control of where data is held, how it is held, and how it is accessed.
Do they hold appropriate standards?
Look at the international quality standards the data centre holds. Here at ITPS we are long-standing holders of ISO27001, the standard that sets out the specification for an information security management system (ISMS), and is a best practice approach that includes people and processes as well as technology. It means we have the policy, process and documentation, and working practices in place required for GDPR compliance.
Security audits
Make sure you can carry out your own audits and that it is reflected in your contract wording. Our data centre has been through rigorous audits and had the seal of approval from bodies including the Department of Justice and the NHS.
Brexit and GDPR
The ICO is warning that while the government is seeking an adequacy decision for the UK, which would recognise its data protection regime as equivalent to those in the EU, it will not be in place before Brexit.
In the case of a no deal situation, the free flow of data between the UK and the EU would stop. You might think you know where your data is, but can you be sure your contractor has not moved storage services to a cloud provider outside the EU without informing you? If your cloud services are not based in the UK, it could expose you to risk.
With Brexit looming and as we continue to deal with the challenges and changes the year has brought, it’s never been more important to protect your data and your business. Give our cloud and security experts a call for a chat about how we can help you stay safe.