Data is an increasingly valuable asset, and customers know it. When hiring leased datacenter services, there are naturally some concerns: clients want to ensure that their information is kept safe, virtually and physically. Thus, a datacenter’s security measures can be decisive for customers choosing among providers.
Although protecting data is considered best practice in the leased datacenter industry, regulatory frameworks across the world need to keep up with advances in technology and ensure that data privacy is safeguarded by law. Brazil’s Lei Geral de Proteção de Dados Pessoas, or LGPD data protection law, is a prime example of how these regulations, although sometimes redundant, are necessary.
The LGPD exemplifies how datacenters often find themselves playing a central role within the larger IT supply chain. Since they contain customers’ physical IT infrastructure, datacenters serve as a backbone to the broader IT industry, an important location where physical and virtual security must complement each other to keep customer data protected at all levels.
The LGPD: Brazil’s data protection law
Brazil saw significant growth in data leaks in 2018 and 2019, increasing almost sixfold in number of occurrences. Additionally, it was reported in June 2019 that the country’s National Justice Council postponed its cloud contract with Microsoft Corp. over fears that national data could possibly be housed in and accessed from datacenters outside of Brazil. The LGPD is an attempt to fix the cracks in the country’s IT sector, formalizing data protection practices while inadvertently increasing the pressure for datacenter providers to ensure the physical and virtual safety of their sites.
The LGPD was signed by the country’s former president, Michel Temer, in 2018. The law came into effect in August 2020 and, in 2021, the nation’s government announced it would be cracking down on infractions, ranging from administrative sanctions to fines of as much as $10 million.
Under the LGPD, personal data is defined as information capable of identifying users either directly or indirectly, including but not limited to name, government ID number, birthdate, phone number, bank account, health indicators, income, general consumption habits, IP address and cookie history.
The law replaces over 30 previous provisions applying to distinct sectors, also establishing a National Authority for Personal Data Protection in Brazil. The LGPD stipulates that organizations retaining customers’ private data reach out to existing clients to ensure that they have their consent on all forms of data processing and that new clients are given enough information on how their data is being managed and are allowed to “opt in” to these processes.
Impacts on datacenter providers
Not all datacenters are created equal. The industry often divides IT infrastructure into four distinct categories: on-premises, colocation, cloud or some hybrid of these.
On-premises IT is kept by organizations within their business space, and colocation entails leasing space in a datacenter maintained by a third party that specializes in datacenter services. With cloud, the infrastructure is kept entirely virtual, with organizations hiring cloud services and moving their data and applications to the cloud supplier’s datacenter virtually. Hybrid, as the name implies, involves integrating two or more of these services and customizing them to best fit the organization’s IT needs.
When it comes to colocation and cloud in particular, the data’s virtual safety is typically not the datacenter’s responsibility; the customers or the cloud services they hired need to manage the IT safety protocols for cybersecurity and are ultimately responsible for measures such as firewalls and data encryption.
The physical protection of the equipment where the data lives, however, often falls to the datacenter provider. Therefore, the LGPD establishes that datacenters are the ones responsible for any physical measures required for data protection, including the material safety and physical access to data, considering it is within their confines that all systems containing that data run and operate.
Datacenter providers must take several measures to ensure their facilities are LGPD-compliant. A datacenter needs to track visitor data, frequently update software and hardware, control physical access to the facility, keep enterprise data constantly accessible to the customer and train its staff on suitable IT practices.
Typically, these standards are already met by third-party datacenters in Brazil and around the globe, due to customers requiring high levels of security in their facilities. The LGPD, however, formally established a regulatory framework that officializes these practices as standards for the industry and, perhaps more significantly, lists legal penalties for infractions against them.
The importance of data protection laws
Under the LGPD, not much might change for datacenters in Brazil on a day-to-day basis — datacenters’ entire business models are built on the fact that they can keep customer infrastructure safe from physical disruptions. Facilities already operate as a highly secure environment that is monitored constantly. Yet the law does indicate that Brazil’s technology market is maturing — with the country becoming one that, understanding the importance of protecting personal data, creates a legal base to ensure that providers comply.
More than anything, Brazil’s LGPD regulation demonstrates how legal systems evolve and adapt to new industries, particularly in the technology sector. It could potentially serve as an example of what might occur in other markets, especially emerging ones. Last of all, one can never overstate the importance of data protection. The implementation of these laws, even if sometimes redundant, is always necessary to fully protect providers and customers and address any potential legal loopholes that could cause harm to either party in a less formally regulated industry.
Want insights on AI trends delivered to your inbox? Join the 451 Alliance.