Only those who have been residing on Mars for the last couple of months will have missed the recent news on GDPR - General Data Protection Regulation.  New European rules on data protection have just been agreed after four years of wrangling.

The changes mark the biggest upheaval in 20 years and have major implications for data centre operators and cloud service providers.  Data driven businesses of all sizes will face more bureaucracy, more legal uncertainty and more risk. Consumers will also have less clarity about who is liable in the case of data breaches. But there is potentially a bigger issue that affects us all: some say that other changes threaten existing, highly innovative, business models and could place the EU at an economic disadvantage. Worried?  Yes, you should be.

europe flags thinkstock  _marqs
– Thinkstock / _marqs

Good intentions

The intentions are understandable. The objectives of the GDPR are to protect consumers (from themselves as much as anything). 

In the UK, individuals are generally very happy to give their personal data to businesses – in fact they are much more enthusiastic about providing it to companies than to government, although attitudes differ across Europe.  What they often don’t understand are the consequences of ticking (or, more importantly, not ticking) those boxes and exactly how their data will be used. 

The Commission wants to protect that data and ensure that consumers understand what personal data they are giving away and to whom.  It wants to ensure that nobody can hide behind anyone else in the case of data breaches. So it has extended liability down the supply chain.  The Commission aims to ensure that nobody can pretend they don’t have anything to do with data and so the new laws are also expanding liability by broadening the definition of who can be classed as a data processor.

So what is the problem?

The new rules make data controllers and processors jointly liable for any breach of the Regulation. Joint liability will extend responsibility beyond the companies that collect and use personal data. Cloud providers, data centres and processers will now be liable for data held on their services.

Given that these data processors will have little visibility over whether the data collected by data controllers is compliant with the new Regulation, managing the legal implications of this requirement within contracts between controllers and processors will be difficult and potentially costly. Companies will have to take out indemnities for risks they cannot quantify. Both businesses and their customers, particularly SMEs, will face higher costs.  While in theory consumers will always have somebody to blame for data breaches, in practice there is less clarity on where they should seek redress. 

Mr Silly
Mr Silly – THOIP / Sanrio (Fair Use)

A cautionary tale:

Mr Silly, a data controller who should know better, is using his laptop to check customer salary records while he is having a coffee in Starbucks on an open W-Fi system.

These salary records are actually held a hundred miles away in a secure data centre surrounded by barbed wire, with bomb-proof walls and biometric security, policed and managed by Mr Strong

The computers on which the data is held belong to a cloud services provider, Mr Worry, who provides the platform on which the data is hosted.  

Mr Nosey, who is sitting next to Mr Silly in Starbucks having a latte and a pecan Danish and enjoying a chat with his friend Mr Mischief, sees what Mr Silly is doing and notices that there are some very interesting salary packages there. 

Mr Mischief hacks in and forwards a whole load of sensitive information to Mr Chatterbox at the Daily Mail.  There is a big scandal and heads must roll. 

Who is to blame?  Under the old scenario, Mr Silly was to blame; under the new scenario you might consider suing:

  • The data controller, Mr Silly 
  • The data centre operator, Mr Strong 
  • The Cloud services provider, Mr Worry
  • Starbucks
  • The sandwich delivery boy
  • Some bloke who happens to be passing in the street
  • All of the above (plus Mr Nosey and Mr Mischief, although technically they would be prosecuted under the Computer Misuse Act)

So from my perspective, looking after the interests of UK data centre operators, I’m worried.  I think there are three problems with the GDPR. The very broad definition of data processors is one problem, and the joint liability that scoops everyone up and confuses accountability is a second.

The third issue is the risk that the GDPR will undermine existing business models, but I’ll save that story for another time.

Emma Fryer is an associate director at TechUK