How Does the GDPR Impact Colocation?

The European Union’s General Data Protection Regulation remains one of the most far-reaching pieces of privacy legislation ever released. Depending on your customer base, failure to comply with the framework can result in some pretty hefty penalties. That’s true even if your business isn’t located in the EU.

It’s been a little over a year since the European General Data Protection Regulation (GDPR) officially passed into law. Yet even now, there are plenty of businesses that aren’t quite certain about the regulation’s ins and outs. This is particularly evident in the colocation field, both among colocation providers and with businesses that use them.

If you aren’t yet aware, the GDPR is one of the most comprehensive privacy frameworks ever released. In broad strokes, it gives users total ownership over their data, requiring that businesses treat personally-identifiable information with the utmost care. The primary restriction in the GDPR is that it only applies to the data of EU citizens.

But that doesn’t mean U.S. businesses need not adhere, Far from it. If there’s even a chance that one of their customers might be from the EU, they need to follow the legislation. If they don’t, they can be fined up to 10 million euros, or 2 percent of their annual global turnover, whichever number is higher. 

Inasmuch as utilizing colocation services, whether or not your business does so isn’t really relevant where GDPR adherence is concerned. While it is still important to seek a colocation facility with strong cybersecurity practices, your own practices matter more. This applies regardless of where your colocation facility is situated. If you have a market in the EU, you need to adhere to the GDPR. 

For colocation providers themselves, it’s a bit more complicated. The GDPR establishes two distinct entities where private information is concerned. As noted by Schneider Electric Cloud & Service Provider president Mark Bidinger, these are data controllers and data processors. 

“All colocation companies are data controllers, because they provide “the purposes, conditions and means of the processing of personal data,” according to the GDPR,” Bidinger explains in a blog post. “But colocation companies that are controllers in relation to their own employees may nonetheless have limited responsibility under GDPR in relation to their own customer data.”

Here’s where it gets complicated. Facilities that provide managed colocation services blur the line between processor and controller. This means that if a client collects and stores the personal information of an EU citizen while they are in the EU, the facility is subject to the same regulations as that client. 

At the end of the day, the most important thing for any colocation facility is to have policies, procedures, and controls in place for easy control, sanitization, and categorization of data. So long as your colocation facility is able to readily comply with rules such as the right to be forgotten, then it should be fine. 

At the end of the day, I still recommend speaking with a compliance expert and an attorney because even if you’re certain you know what you’re doing, a bit of added expertise can’t hurt.