In November 2016, a Russian court of law found LinkedIn to be non-compliant with a regulation that requires all personal data from Russian citizens to be housed in servers physically located on Russian soil. Fast forward a couple of months and the Russian government has demanded Google and Apple remove the LinkedIn app from the country’s local app stores.
In short, Russia claimed LinkedIn didn’t adhere to its data sovereignty rules, which prevents interference from prying eyes.
Meanwhile in America, up until 2015, Safe Harbor protected the transfer of data between the US and EU. That agreement was invalidated in the wake of the Snowden revelations and data sovereignty was raised to protect people’s privacy from US intelligence agencies’ surveillance.
In the Russian LinkedIn case, one might assume the data sovereignty argument is more about control but the fundamentals are the same - data sovereignty is usually a political mechanism, played out in the business arena.
Data resides in physical warehouses (data centers) and is governed by the laws of the land. Hence why data residency could become the unwitting victim of a messy divorce between the UK and EU. As we negotiate Brexit, certain data legalities will be subject to change.
For instance, come 2019, UK companies may not be able to house information about their European customers on UK soil and vice versa.
The end-result could spell an exodus of multinational companies, as they follow the Pied Piper’s data trail all the way to Dublin, Paris or Frankfurt. The flip side of this scenario is that data on UK citizens currently held in Europe would have to be repatriated back to British data centers.
Winning sovereignty but losing data flows
The Leave campaign lobbied primarily on issues of sovereignty - being able to make our own rules, without intervention from foreign governments. But in the process of asserting sovereignty over not only our laws but our data, the UK may end up losing control of its data flows to its largest (by transfer volume) trading partner.
Brexit will probably spawn a whole new cottage industry of ‘compliance migration’ consultants
According to 4D’s recent survey almost one third of companies currently using an international public cloud for company data, are already planning to stop doing so in two years’ time, following Brexit. Many of these will migrate over to a UK cloud provider.
But moving cloud suppliers is a Herculean task, given the change management planning that needs to be done up-front (many companies don’t even know where their data resides) to overcome vendor lock-in and business disruption. VMWare estimates it would cost UK organizations an average £1.6m to move their data from one location to another - and that’s a conservative calculation.
Of the IT decision-makers 4D polled, 63 percent say Brexit has intensified their concerns surrounding data location and sovereignty - suggesting this is an issue which will gain prominence once formal negotiations begin.
At present, just 28 percent of companies think about data sovereignty in terms of how local laws will impact the way they store their data. The chances are the remaining 72 percent will follow suit soon. In the process, they’ll probably spawn a whole new cottage industry of ‘compliance migration’ consultants.
Preparing for Brexit
To navigate the next few years, businesses would do well to firstly determine where their data resides and what laws they’re subject to.
They’ll then need to assess how they can inject greater flexibility into their arrangements, given that certain options will be closed to them (namely, using a foreign owned data center on UK land or a UK owned data center on foreign land).
Given the political sensitivities, companies wanting to operate in the UK would do well to embrace UK based (and owned) data centers. It will keep them on the right side of the law, they’ll enjoy cost savings from not having to run and maintain their own data center and if their end users are nearby, they’ll enjoy all the benefits of low latency. The same is true if they choose UK based cloud providers.
In short, a business has a choice - to hope for the best but run the risk of being caught flat-footed, or plan now for an orderly transition.