Is it possible to estimate how many data subjects’ personal data exists on the infrastructure of a web hosting / IT backup provider?

To all my IT colleagues in LinkedIn-Land: I have a favour to ask.

We have been approached by a number of providers of web hosting and IT backup services providers asking for us to act as their EU Representative under Article 27 of GDPR – as a very quick summary, this is required for companies which process the personal data of EU individuals but have no EU office.

Because we accept potential liability for our clients’ breaches of GDPR when we accept an appointment from a client (i.e. the greater of €20m and 4% of global revenue for each of them), we need to understand the potential level of risk this involves. There are a number of ways companies in our sector do so, but we take the view that this risk can only be assessed by looking at the number of EU data subjects for which that personal data is processed, and the sensitivity of the data which is being processed. These are two of the major factors which will impact the likely size of a GDPR fine, and accordingly the liability which we may be accepting on behalf of a client.

BUT, how do we assess this when the client themselves does not know the answers to these questions and, because the nature of their services mean they have no direct route to inspecting the data they process for their clients (e.g. because they simply host the data but don’t have access to it), they have no method to find this out?

Clearly there are a huge number of factors which could affect this number – the activities of the organisations storing that data, what type of data they’re storing in that infrastructure (it could be a marketing database of millions of names, or it could be data entirely related to product manufacturing), the volume of data collected for each individual (is it just an IP address, or a full profile with HD photo), the extent to which they are actually making use of the storage space they have available to them in the host/backup infrastructure (they may have purchased 100GB of storage but only be using 50GB) etc. etc.

My question: is it possible to make broad generalisations across industries for this? In other words, by making a series of best-guess assumptions, can anyone propose a method – or, better still, a number – for assessing how many data subjects’ personal data would be contained in an average gigabyte of data storage, averaged out across data storage globally (or even in a specific sector or territory).

I realise this is probably an impossible question, but I would very much welcome radical ideas, outlandish guesswork and any kind of suggestion to help with this.

Answers on a postcard to [email protected].

Thanks!