Research article

GDPR & DPA implications

Data centre operators’ obligations and liabilities are increasingly engaged


It has been four years since General Data Protection Regulation (GDPR) came into force (May 2018). The main goal of the law was to protect the EU’s citizens’ privacy and information. Hence, GDPR rules apply to all companies (including non-European ones) with data from organisations or people residing in the EU. Additionally, the GDPR provides for the free flow of non-personal data within the European Union to enhance the competitiveness of its digital economy. Importantly, it also allows data flow to third-party countries if the receiving country’s laws comply with the GDPR’s rules. Since May 2018, there has been a massive uptake in policy revisions and updates.

Data processing under GDPR covers a wide range of considerations to be addressed, notably storage security, erasure and decommissioning to permanently remove data from drives, LUNs, servers and virtual machines. The regulation has, therefore, a heavy impact on data centre operators’ business models and added responsibility and an onus on the data processor to work closely with the controller. This mainly resulted in increased legal costs as contracts between data processors and data owners have become more elaborate and strict, and complex data management often requires auditing. On a positive note, GDPR rules brought cohesion and clarity within the European Union.



Post-Brexit UK-GDPR, DPDI on hold

In January 2021, the UK became “a third country” under the EU’s GDPR, with provisional agreements between the UK and EU. In anticipation of Brexit, a new domestic data privacy law called the UK-GDPR took effect in January 2020. It is almost word for word, completely identical to the EU’s GDPR. Alongside the Data Protection Act of 2018 (DPA), UK-GDPR governs all processing of personal data from individuals located inside the UK. The DPA also governs data processing for local law enforcement authorities and intelligence services. In June 2021, the EU agreed on an adequacy decision for the UK, ensuring the free flow of personal data between the two blocs for four years until June 2025.

However, during the same month, the UK government announced some reforms to the data protection framework to ease and simplify some regulations. This new regulation will likely create a dual regime for most companies with differing rules for personal data in the scope of the UK regime and personal data in the scope of EU law. Indeed, any data on people in the EU will still need to comply with the EU GDPR. Compliance with these two regimes will likely lead to increased complexities and additional legal investments for data centre operators. That said, early this month, the UK government confirmed another pause to draft the Data Protection and Digital Information Bill (DPDI), opening a period of uncertainty and transition for businesses.

Read the articles within Spotlight: European Data Centres below.

Other articles within this publication

11 other article(s) in this publication