Your data center is required to abide by the laws of the countries where your customers are located, and each of these countries mandate that customer data be retained within its borders. This means a data center is required to comply with different standards based on the location, construction, environment, and security regulations specified by different countries. Though there are common international data center security standards, like ISO9001 and SOC 1, SOC 2, and SOC 3, there are also other country-specific regulations. In this article, we'll learn how to establish and comply with the standards and requirements for data centers mandated by various countries and regions.
Europe, one of the most powerful hubs for commerce and IT, is a pioneer in security initiatives, and demands its data stays within its boundaries. In Europe, when you observe a change in your regular data center usage, or anticipate that you need to expand operations in the cloud or establish your own data center, accomplishing your objective securely and effectively is vital. Especially for businesses involving cloud applications and storage, a native data center is the best choice for organizations conducting operations in Europe.
Because of the General Data Protection Regulation (GDPR), Europe is at the forefront of security and privacy issues. Though there were many laws in place in previous decades, the GDPR enforced strict practices to keep sensitive data within country boundaries. Other than the GDPR, there are also other laws in different European countries that organizations are expected to comply with to do business with the citizens of that country.
Here is a list of the major privacy and security laws in Europe for establishing a data center in Europe. Ignoring them can involve huge penalties.
The GDPR is an European Union-wide privacy and data protection law that regulates how the data of EU residents is protected by companies. It enhances the control EU residents have over their data. The GDPR requires businesses to protect personal data and privacy for transactions that occur within EU member states. It is relevant to any globally operating company, and not just EU-based businesses and EU residents. The GDPR took effect on May 28, 2018.
The GDPR protects basic identity information such as name, address, and contact numbers; web data like IP address and cookie data; health, genetic data, biometric data, and sexual orientation; racial and ethnic data; and political opinions. Violating the GDPR can involve fines of up to 10 million euros, or up to two percent of its entire global revenues in the preceding fiscal year, whichever is higher.
The key points from the GDPR are:
Most of the EU countries abide by the GDPR. However, some sections are left to individual member states to interpret and implement. In that part, some countries have enacted certain updates that businesses who wish to set up data centers in those countries are expected to comply with.
Another variation from the GDPR relates to member states being enabled to modify and implement regulations that are enforced in a specific way in their country.
The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act that governs the exposure of personal data in Germany. Though this law has been in practice since the late 1980s, the new German Privacy Act (BDSG-new) updated since the GDPR, complements, specifies, and modifies the GDPR.
The main provisions of the law that differ from GDPR are:
Violations to some region-specific regulations, such as those involving consumer loans, are considered criminal offenses, and the penalties are more severe than other fines from the GDPR.
Besides the GDPR, the Netherlands has a national data protection law. This is the Dutch GDPR Implementation Act (Uitvoeringswet AVG) which constitutes the local implementation of the GDPR. The Implementation Act follows a policy-neutral approach, meaning that the requirements of the previous Dutch Data Protection Act (Wet bescherming persoonsgegevens) are maintained as much as possible under the GDPR. The Dutch GDPR Implementation Act, in addition to other data protection laws, provides rules for where to implement the GDPR along with details on the regulatory authority and discretionary powers.
The 2018 Danish Data Protection Act supplements the GDPR with its regulations specific to member states. This act contains information about the roles of the authorities, as well as provisions related to data processing, the disclosure of personal data, the right to access, the designation of a DPO, limits on consent, prohibitions on data transfers, administrative penalties, and others more specific to Denmark.
The Data Protection Act of Finland (Tietosuojalaki) is the supplementary implementation act of the GDPR that became law on January 1, 2019. The key enactments in this act are about:
Following the Brexit, the new UK-GDPR that took effect on January 31, 2020, is similar to the GDPR but accommodates domestic areas of law. The UK-GDPR expands sections on national security, intelligence services, and immigration. However, it sets out certain exceptions by which the regular protection of personal data can be bypassed. In the UK, the Data Protection Act 2018 also governs the way personal data is handled by organizations. This act also addresses:
In addition to the above laws on privacy and data protection, there are also other standards for establishing a datacenter.
The EN 50600 is the first European-wide, transnational standard drafted to provide comprehensive specifications for the planning, construction, and operation of a data center with a holistic approach. Developed by CENELEC (French: Comité Européen de Normalisation Électrotechnique; English: European Committee for Electrotechnical Standardization), EN 50600 primarily focuses on physical security. Its four sections cover:
ISO27001 and ISO9001 are the key International Organization for Standardization (ISO) standards for Europe.
Organizations that wish to establish data centers in the member states are expected to comply with the regional standards, as well as the GDPR. Though there are laws for every aspect of a data center from infrastructure to environment, privacy laws are given primary importance. With regulations for every process in place, businesses don't have the liberty to have a loose end.