Data center security and privacy guidelines 101

Security is supreme for any data center, and so is minimizing the exposure of sensitive data. Security and privacy converge in data center operations, and organizations are now increasingly privacy-aware. Many now adhere to stringent region-specific laws and regulations.

Your data center is required to abide by the laws of the countries where your customers are located, and each of these countries mandate that customer data be retained within its borders. This means a data center is required to comply with different standards based on the location, construction, environment, and security regulations specified by different countries. Though there are common international data center security standards, like ISO9001 and SOC 1, SOC 2, and SOC 3, there are also other country-specific regulations. In this article, we'll learn how to establish and comply with the standards and requirements for data centers mandated by various countries and regions.

Data center regulations for Europe

Europe, one of the most powerful hubs for commerce and IT, is a pioneer in security initiatives, and demands its data stays within its boundaries. In Europe, when you observe a change in your regular data center usage, or anticipate that you need to expand operations in the cloud or establish your own data center, accomplishing your objective securely and effectively is vital. Especially for businesses involving cloud applications and storage, a native data center is the best choice for organizations conducting operations in Europe.

Because of the General Data Protection Regulation (GDPR), Europe is at the forefront of security and privacy issues. Though there were many laws in place in previous decades, the GDPR enforced strict practices to keep sensitive data within country boundaries. Other than the GDPR, there are also other laws in different European countries that organizations are expected to comply with to do business with the citizens of that country.

Here is a list of the major privacy and security laws in Europe for establishing a data center in Europe. Ignoring them can involve huge penalties.

The GDPR

The GDPR is an European Union-wide privacy and data protection law that regulates how the data of EU residents is protected by companies. It enhances the control EU residents have over their data. The GDPR requires businesses to protect personal data and privacy for transactions that occur within EU member states. It is relevant to any globally operating company, and not just EU-based businesses and EU residents. The GDPR took effect on May 28, 2018.

The GDPR protects basic identity information such as name, address, and contact numbers; web data like IP address and cookie data; health, genetic data, biometric data, and sexual orientation; racial and ethnic data; and political opinions. Violating the GDPR can involve fines of up to 10 million euros, or up to two percent of its entire global revenues in the preceding fiscal year, whichever is higher.

The key points from the GDPR are:

  • Rights of individuals: Indicates how organizations should help users find the data maintained about them, and comply with users' requests to modify or delete the data.
  • Right to be informed: Specifies the need to explain to users about the prevailing processes, and which processes do and don't require their consent. Organizations must also indicate how they intend to use the customer data.
  • Right to erasure: Allows individuals to request to erase their data when it's no longer necessary, or when its purpose has not been established or communicated to them.
  • Data Protection Officer (DPO): Establishes the appointment of a DPO to regulate and comply with all obligations required by the GDPR. The DPO is responsible for monitoring compliance with the GDPR to ensure there are no violations.
  • Data Protection Officer (DPO): Establishes the appointment of a DPO to regulate and comply with all obligations required by the GDPR. The DPO is responsible for monitoring compliance with the GDPR to ensure there are no violations.
  • Lawful, fair, and transparent processing: Organizations should use data only for legitimate purposes, take full responsibility, and inform data subjects, i.e. users or European residents, about the way the data is processed.
  • Data breach: Organizations should maintain a register, assess the scope and impact, and notify the authorities and subjects within 72 hours of finding a data breach.
  • Data protection impact assessment: Before launching or releasing any new product, or a major upgrade, a data protection impact assessment should be initiated.
  • Awareness and training: All employees in an organization must be informed of the GDPR, and must undertake regular training about data protection and their responsibilities.

Most of the EU countries abide by the GDPR. However, some sections are left to individual member states to interpret and implement. In that part, some countries have enacted certain updates that businesses who wish to set up data centers in those countries are expected to comply with.

Another variation from the GDPR relates to member states being enabled to modify and implement regulations that are enforced in a specific way in their country.

The German Bundesdatenschutzgesetz

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act that governs the exposure of personal data in Germany. Though this law has been in practice since the late 1980s, the new German Privacy Act (BDSG-new) updated since the GDPR, complements, specifies, and modifies the GDPR.

The main provisions of the law that differ from GDPR are:

  • Designation of a DPO: The German rules are stricter than those defined in Article 37 of the GDPR. According to Section 38 of the BDSG, companies operating in Germany must designate a DPO if they consistently employ at least 10 people to deal with the automated processing of personal data.
  • Fines: Violations that solely concern the BDSG will be limited to a maximum fine of €50,000, while the rest comply with the GDPR penalties.
  • Non-monetary damages: The new BDSG also defines non-monetary or non-pecuniary damages. These are damages which are not readily quantified or valued in money, such as proposed compensation for pain and suffering.

Violations to some region-specific regulations, such as those involving consumer loans, are considered criminal offenses, and the penalties are more severe than other fines from the GDPR.

The Dutch GDPR Implementation Act

Besides the GDPR, the Netherlands has a national data protection law. This is the Dutch GDPR Implementation Act (Uitvoeringswet AVG) which constitutes the local implementation of the GDPR. The Implementation Act follows a policy-neutral approach, meaning that the requirements of the previous Dutch Data Protection Act (Wet bescherming persoonsgegevens) are maintained as much as possible under the GDPR. The Dutch GDPR Implementation Act, in addition to other data protection laws, provides rules for where to implement the GDPR along with details on the regulatory authority and discretionary powers.

The Danish Data Protection Act

The 2018 Danish Data Protection Act supplements the GDPR with its regulations specific to member states. This act contains information about the roles of the authorities, as well as provisions related to data processing, the disclosure of personal data, the right to access, the designation of a DPO, limits on consent, prohibitions on data transfers, administrative penalties, and others more specific to Denmark.

The Data Protection Act of Finland

The Data Protection Act of Finland (Tietosuojalaki) is the supplementary implementation act of the GDPR that became law on January 1, 2019. The key enactments in this act are about:

  • Children's data, sensitive data, personal identity codes, and related criminal convictions.
  • Public authorities, the data protection ombudsman, and administrative fines.
  • The lawful ground of public interest, and processing of personal data.

UK-GDPR

Following the Brexit, the new UK-GDPR that took effect on January 31, 2020, is similar to the GDPR but accommodates domestic areas of law. The UK-GDPR expands sections on national security, intelligence services, and immigration. However, it sets out certain exceptions by which the regular protection of personal data can be bypassed. In the UK, the Data Protection Act 2018 also governs the way personal data is handled by organizations. This act also addresses:

  • Access to personal data
  • Right to erasure
  • Stopping or restricting the processing of data
  • Data portability
  • Lawfulness of processing
  • Objections to how data is processed under certain circumstances, such as for marketing purposes

Other data center standards

In addition to the above laws on privacy and data protection, there are also other standards for establishing a datacenter.

EN 50600 - Design of Data Centre Facilities and Infrastructures

The EN 50600 is the first European-wide, transnational standard drafted to provide comprehensive specifications for the planning, construction, and operation of a data center with a holistic approach. Developed by CENELEC (French: Comité Européen de Normalisation Électrotechnique; English: European Committee for Electrotechnical Standardization), EN 50600 primarily focuses on physical security. Its four sections cover:

  • Part 1: General concepts
  • Part 2: Physical aspects of structural issues relating to building construction, power distribution, environmental control, telecommunications cabling infrastructure, security systems, and management and operational information
  • Part 3: Management
  • Part 4: Efficiency aspects such as KPIs, energy consumption, and renewable energies

Uptime Institute: Data Center Authority

The Uptime Institute is a neutral organization that established four tiers of data center certifications for categories including design, construction, and operational sustainability.

  • Tier I: Basic capacity
  • Tier II: Redundant capacity components
  • Tier III: Concurrently maintainable
  • Tier IV: Fault tolerance

ISO

ISO27001 and ISO9001 are the key International Organization for Standardization (ISO) standards for Europe.

Organizations and compliance

Organizations that wish to establish data centers in the member states are expected to comply with the regional standards, as well as the GDPR. Though there are laws for every aspect of a data center from infrastructure to environment, privacy laws are given primary importance. With regulations for every process in place, businesses don't have the liberty to have a loose end.

References

  • https://gdpr.eu/tag/gdpr/
  • https://www.gesetze-im-internet.de/englisch_bdsg/
  • https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation
Plans, Pricing and Sign Up30-Day Free Trial, sign up in 30 seconds