After months of discussions and consultations, the European Parliament has now agreed to replace the outdated and increasingly powerless EU Data Protection Directive 1995 with the new and more robust General Data Protection Regulation (GDPR). Set to come into practice as soon as 2018, the regulation signals a new era in our region’s struggle to ensure the rights of citizen privacy, writes Dr Sandra Bell, Head of BC & ISDG Consulting (Europe), Sungard Availability Services.
At its heart, the GDPR seeks to harmonise the sprawl of distinct national rules and regulations into a single law that applies to the personal data of EU citizens, wherever they are from and wherever their data is stored. From a business perspective, the regulation is a helpful development that will make it easier and more cost effective for cloud providers to offer pan-EU solutions. It will also make it safer for EU organisations to make use of these cloud based solutions for the processing of personal data.
Cloud computing has already proven its benefits: with almost three quarters (64 per cent) of businesses in key European markets stating that it has enabled them to increase business agility, reduce cost (53 per cent) and cut down day to day maintenance activity for IT teams (52 per cent)[1]. Now, it’s being used to direct the focus of IT resources onto higher-value activities for the business, and to support innovation at lower risk.
International
One of the main reasons why on-premise solutions persist – whether it is private cloud deployments or physical, on-site hardware – is the wish for sensitive data not to cross geographical boundaries. The rationale being that data security can be better controlled within national boundaries. Although some of the finer points of the regulation are yet to be confirmed, it is anticipated that, like its predecessor, the GDPR will require that data is not stored in or transferred through countries outside the European Economic Area that do not have equivalently strong data protection standards or have US Safe Harbor Certification.
Moreover, it is also anticipated that the GDPR will strengthen this requirement with formalised adequacy determinations. Whilst, on the surface, this may appear to hamper data transfers further – thus posing challenges for cloud suppliers – the aim is “control” and not “restrict”. It’s a crucial difference and one which aims to ensure that EU citizens’ data is better protected.
Cloud Computing
The majority of public clouds keep costs down by relying on global, unregulated resources and will therefore probably need to invest heavily to meet the new regulations. However, this is not the case across the entire industry: many cloud solutions are able to offer reassurances of data sovereignty, making cloud a real possibility for personal or otherwise sensitive data. Additionally, for many heavily regulated businesses – such as Financial Service organisations or retailers – while storing data on-premise was believed to offer greater control, the introduction of GDPR will offer a new freedom in allowing the use of subcontractors to process data. And it can be done without the risk of a large compliance fine due to improper treatment of data. Under the new regime organisations are not wholly responsible for the risk and therefore it will be far more attractive to use a cloud or co-location provider that is regulated, therefore reducing compliance costs.
Final thoughts
The impending introduction of GDPR is set to become a watershed moment in shaping the global landscape of enterprise IT. Creating a single level of compliance and regulation across the entire European region will not only offer a trusted market for cloud consumers, but will help the market grow and provide a more robust offering that is over and above many global cloud services.
