Maksim Kabakou - Fotolia


Data center compliance teams face new privacy, sustainability rules

With new frameworks for data privacy and sustainability, such as Privacy Shield and the Paris Agreement, data center teams may need to rethink their compliance strategies in 2017.

To make the right IT decisions, it's important to keep up with policy and regulatory changes in addition to advances in data center technologies. 2017 will bring a slew of updates, ranging from new data privacy laws to sustainability guidelines, which may force admins to make changes within their organization.

Here's a look at two new frameworks -- Privacy Shield and the Paris Agreement -- and the potential effect they could have on data center compliance teams.

Data privacy changes

In 2015, the European Court of Justice struck down the International Safe Harbor Privacy Principles (ISHPP) agreement between the U.S. and the European Union (EU). This created a void of an agreed approach to cross-Atlantic data management. In theory, it could have also forced every U.S. and EU company that does business together to establish one-to-one data management contracts that adhere to the prevalent laws between the two nation states. Luckily, the ISHPP was replaced with the Privacy Shield Act in 2016.

The Privacy Shield Act not only fills the void left by the dissolution of Safe Harbor, but also helps set the foundation for the 2018 enactment of the EU General Data Protection Regulation (GDPR) law. The GDPR covers how to handle personally identifiable information between both member countries of the EU, and also for any non-EU country that deals with such data.

In addition to navigating these changes, data center compliance and admin teams must determine how to handle data and the security of intellectual property in the context of other large global economies. For example, will India and China demand that other countries meet their security standards, or will they agree to use the Privacy Shield and GDPR?

In addition to navigating these changes, data center compliance and admin teams must determine how to handle data and the security of intellectual property in the context of other large global economies.

For a large organization that owns its data centers, it may not be enough to maintain data in regional blocs. Each country may demand that any data containing information on its citizens, or that fits into defined buckets of national concern -- for example, data related to national security or nation-specific intellectual property -- be held in data centers on their soil. Ultimately, this may push more organizations toward colocation or public cloud-based facilities.

Midsize organizations that use a hybrid environment should be able to deal with these data issues. These organizations can maintain and manage certain data and workloads within their own data centers and store country-specific data at colocation sites within each country.

However, that only works when the data in that colocation site isn't being called on from an external nation. In 2016, Microsoft stood up to a U.S. court to maintain sovereignty of data in its Irish data center as being Irish. However, with a different set of judges in the U.S. Supreme Court, this may not be the case in the future.

For both large and midsize organizations, it may be time to look for nation-owned facilities in each country where you do business, or to consider facility providers who have registered their local facilities under a local company foundation. For example, colocation company XYZ Inc. might set up a subsidiary XYZ Ltd in the U.K., and XYZ BV in the Netherlands. The facilities in each country are registered directly to the country subsidiary -- not to the overall owning company. If this is done effectively, then only the local government agencies, not those in the owning company's country, can demand access to the data via the facility provider.

For smaller organizations that use a hybrid platform and software as a service, it can be difficult to understand the impact of data privacy laws. Data center compliance teams and the admins responsible for the IT platform must carry out due diligence to ensure that the various data laws applicable to the regions with which they trade are covered. This has to cover national requirements, such as the Information Commissioner's Office in the UK or the GDPR across Europe, but also more general data laws, such as PCI-DSS and ISO 27001.

Sustainability changes

Over 120 countries have agreed upon and ratified the Paris Agreement, a replacement to the Kyoto Protocol. Since the Paris Agreement is basically a set of guidelines around greenhouse gas emissions with no legal force, each country can pick and choose what it does or doesn't do.

Therefore, a data center manager in a large or midsize company may have to adhere to different sustainability laws across its global data centers, and these laws may change after each election cycle. It is far more cost-effective to offload the problem to external facility providers, such as colocation and public cloud vendors. However, if such a move is not possible, data center compliance teams must ensure they meet local, regional and global sustainability requirements -- and deal with any changes as they come through.

Even for smaller organizations with a heavy focus on outsourcing to the cloud, the cloud providers will have to invest in technologies and changes to follow the prevailing laws -- and that cost will generally be passed on to the customer. Although the costs will be part and parcel of the overall charges, such continuous change to sustainability requirements will feed through to higher prices, both for new and existing customers.

The biggest problem will be the unpredictability in what is happening around the globe. There may be issues that create volatility around currency exchange rates, new trade deals that bring in new tariff problems and issues around how the national value of data is perceived and where it should reside.

This will make life more difficult for data center compliance teams, and the business must lead the decisions more than ever before. Advise on options and ask the business to carry out a risk analysis before making any decisions -- and then make it happen.

Next Steps

How will the GDPR impact industry in the U.S.?

Compliance costs rise with GDPR

Address regulatory risks with cloud data residency

Dig Deeper on Colocation, hosting and outsourcing management