In November 2016, a Russian court of law found LinkedIn to be non-compliant with a regulation that requires all personal data from Russian citizens to be housed in servers physically located on Russian soil. Fast forward a couple of months and the Russian government has demanded Google and Apple remove the LinkedIn app from the country’s local app stores, showing exactly how data sovereignty laws impact businesses.
In the Russian-LinkedIn case, Russia deemed LinkedIn to not be respecting its data sovereignty laws since they were storing data in a different country. Post-Brexit, UK companies might have to deal with similar issues if they store UK data in the EU, or EU data in the UK.
Data resides in physical warehouses (data centres) and is governed by the laws of the land. Hence why data residency could become the unwitting victim of a messy divorce between the UK and EU. As we negotiate Brexit, certain data legalities will be subject to change.
UK companies may not be able to house information about their European customers on UK soil and vice versa.
The end-result could spell an exodus of multinational companies, as they follow the Pied Piper’s data trail all the way to Dublin, Paris or Frankfurt. The flip side of this scenario is that data on UK citizens currently held in Europe would have to be repatriated back to British data centres.
Winning sovereignty but losing data flows
The Leave campaign lobbied primarily on issues of sovereignty - being able to make our own rules, without intervention from foreign governments. But in the process of asserting sovereignty over our laws and data, the UK may end up losing control of its data flows to its largest (by transfer volume) trading partner.
According to 4D’s survey almost one third of companies currently using an international public cloud for company data, are already planning to stop doing so following Brexit. Many of these will migrate over to a UK cloud provider.
But moving cloud suppliers is a Herculean task, given the management planning that needs to be done up-front (many companies don’t even know where their data resides) to overcome vendor lock-in and business disruption. VMWare estimates it would cost UK organizations an average £1.6m to move their data from one location to another - and that’s a conservative calculation.
Of the IT decision-makers 4D polled, 63% said Brexit has intensified their concerns surrounding data location and sovereignty - suggesting this is an issue that companies will act on.
At present, just 28% of companies think about data sovereignty in terms of how local laws will impact the way they store their data. The chances are the remaining 72 percent will follow suit soon, when the UK and the EU separate. In the process, they’ll probably spawn a whole new cottage industry of ‘compliance migration’ consultants as people try to move their data to a safe location. Hopefully this will neaten up a lot of company's data storage systems, and protect UK citizens from data breaches.
Preparing for Brexit
To navigate Brexit, businesses would do well to firstly determine where their data resides and what laws they’re subject to.
They’ll then need to assess how they can inject greater flexibility into their arrangements, given that certain options will be closed to them (e.g: using a foreign-owned data centre on UK land, or a UK-owned data centre on foreign land).
Given the political sensitivities, companies wanting to operate in the UK would do well to embrace UK-based (and owned) data centres. It will keep them on the right side of the law, they’ll enjoy cost savings from not having to run and maintain their own data centre and if their end users are nearby, they’ll enjoy all the benefits of low latency. The same is true if they choose UK based cloud providers.
In short, a business has a choice - to hope for the best but run the risk of being caught flat-footed, or plan now for an orderly transition.