Enhancing UK data centre security: UK Government launches consultation  

Data centres – the basics 

Data centres are one of the most important parts of the modern economy. They are specialised businesses used by organisations to store, oversee, and process their data. The average large business stores 1000s of terabytes of data. Given the scale, which increases year on year, it would be highly inefficient (technically and commercially) to store this significant amount of data in-house. 

Data centres utilise robust mainframe computers located in secure and regulated environments. The amount of specialised equipment owned by these facilities, and by spreading the operating costs across clients, the price for electronic storage of data reduces – to the point that almost all businesses will rely on cloud storage operated by data centres. It is not uncommon for commentators on data centres to say that data centres are the ‘4^th utility’ – along with water, electricity, and natural gas. 

Because data centres are essential for the uninterrupted functioning of an organisation on a daily basis, it is crucial to maintain their high level of security. 

As data becomes more valuable, data centres are more at risk from incidents such as cyber-attacks and extreme weather that could interrupt access to important data. 

Current regulation of data centres

The Government argues that third-party data centres are subject to a high level of risk. There is an absence of oversight, testing, governance and statutory mechanisms to defend against threats. Ultimately, there is no direct regulation governing the security and resilience of this sector in the UK. 

That is not to say that other UK laws have an impact on data centres. One of the most important laws relating to the security of data centres in the UK is the General Data Protection Regulation (UK GDPR).

Under the UK GDPR, it is important to understand two important terms: data controller and data processor. Data centres can be controllers or processors or both. 

While a data controller exercises overall control of personal data and determines the purposes and means of processing, data processor processes personal data on behalf of the controller and in accordance with controller’s instructions. Most personal data a data centre will process will be as a processor. 

The UK GDPR is clear that both controllers and processors are responsible to implement appropriate technical and organisation measures to ensure a level of security appropriate to the risk to personal data. These measures include:

• Pseudonymisation and encryption of personal data.
  
• Ensuring the ongoing confidentiality, integrity, availability and resilience of processing.
  
• Having the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
  
• Ongoing testing, assessing and evaluating of the effectiveness of technical and organisational measures. 

In short, where a data centre processes personal data (which most will, given the wide range of customers they might have) there will be minimum security standards that must be put in place to protect that data. But the UK GDPR is not prescriptive. Given the importance of data centres as a ‘4^th utility’, the security standards that may be sufficient to ensure lawful processing under the UK GDPR (which applies to all organisations) may not be enough to protect data centres from sophisticated hackers and/or national security threats. 

Why is the suggested framework being proposed?

The UK Government has long sounded the alarm around the increase in cyber-attacks with both political and financial motives. A sophisticated cyber-attack on a data centre could affect all the businesses that utilise it – a ‘critical’ security risk. 

There are also clear economic incentives to increase data centre security. Outages, whether arising from cyber-attacks or other factors, continue to rise in their length, cost and severity. According to the 2022 research by Uptime Institute , outages are becoming more and more expensive and frequent. Over 30% of data centre outages last longer than 24 hours and cost service operators more than £78,700 in most cases. According to Uptime Institute, the biggest reason is growing dependency of corporate economic activity on digital services and on data centres. Thus, it is crucial for data centre operators to keep increasing their resilience and security.  

After issuing a Call for views on risks to data storage and processing infrastructure, working with the National Cyber Security Centre and National Protective Security Authority to assess and test the security of data centres, working with Cabinet Office and engaging with the data centre sector to identify risks and potential mitigations, the UK Government decided to launch a consultation on the 14 December 2023 on Protecting and enhancing the security and resilience of data infrastructure which includes data centres. 

The Government is actively seeking insights and expertise of affected/interested businesses to then make the most effective and informed decision. 

What is encompassed in the suggested regulatory framework?

The Government proposes to introduce a new statutory framework in order to improve and guarantee the continuous security and resilience of the UK’s data infrastructure.  The objective is to make sure that all relevant operators in the UK are effectively addressing and mitigating risks. 

Government proposals focus on preventing key concerns such as cyber-attacks and physical attacks, resilience risks resulting from hazards such as equipment malfunction and extreme weather and poor information-sharing and cooperation across industry. 

It is intended that organisations that operate data centres or provide similar services would be required to comply with the following conditions: 

1. Mandatory registration with the designated regulator and ongoing provision of relevant information regarding their UK operations, including reporting significant incidents. This regulator is yet to be identified or created after the consultations. The regulator would be assigned a regulatory function to implement, manage and enforce the new framework using mechanisms to mandate assurance of baseline security and resilience measures.
   
2. Taking appropriate and proportionate technical and organisational measures to manage risks to security and resilience. The Government is considering adopting measures similar to the ones for relevant digital service providers under the NIS Regulations. The NIS Regulations introduced legal measures for network and information systems, that are essential for providing digital services, aiming to improve their overall security.

In order to protect and enhance security and resilience of data centres, the key measures are proposed to include risk management, the physical and cyber security of facilities (e.g., encryption, system failure, human error), incidence management (detection, analysis and containment of any incident and follow-up response), resilience and service continuity (maintain or restore the delivery of services to acceptable predefined levels), governance and personnel, monitoring, detection, auditing and testing and supply chain management (establish and maintain appropriate policies).  

Comment

This Government proposal represents a significant step towards enhancing the protection of businesses relying on data centres. 

Many of the proposed regulations align with the requirements under the UK GDPR. It is to be noted that the language proposed by the UK Government in the proposal and the relevant wording in respect of the UK GDPR. The UK GDPR already anticipates, for example, an existing information security policy and the consideration of physical and environmental security when implementing technical and organisational measures. 

At present, it remains uncertain whether a new regulatory body will be created or if an existing one will take on these responsibilities. Should the ICO, for instance, undertake these new regulatory duties, it will further increase the extensive burden that regulator has in overseeing (in effect) most organisations and sole traders in the UK. 

What’s next?

The consultation will close on 22 February 2024. After the consultation is over, the Government will consider the views and evidence to inform their response and further proposal while continuing to engage with relevant stakeholders and engaging with governments of other jurisdictions to explore collective risk mitigation and joint action to address common risks and threats. 

If this framework comes into force (and unless modified as a result of consultations), it appears that relevant data centre providers would merely be required to register with the designated regulator. It remains to be seen if the security obligations on data centres would be enhanced as part of the proposed framework. 

If you have any questions around the UK GDPR, data centre regulation, or require assistance with understanding its potential impact on you or your business, please feel free to reach out to Colin.