Despite the outcome of the referendum to leave the EU, 73% of British Businesses still support GDPR. Here our Managing Director, Jack Bedell-Pearce discusses the implications of this conundrum.
During the UK referendum campaign, the Leave camp spoke ardently about the importance of protecting our sovereignty and making our own laws. Now we’re coming out of the EU and the single market, sovereignty is top of the agenda again, for the opposite reason. Rather than solving our right to sovereignty, Brexit threatens to destabilise it.
Right now, data holders are worried about the sovereignty of their information and the onus of complying with international laws that are not our own. For instance, company directors are wondering what their obligations will be if their organisation’s data is stored abroad and subject to the laws of the country in which the data resides? How do they comply with the country’s privacy regulations and keep foreign countries from being able to subpoena their data?
In the Autumn of 2016 4D surveyed 200 UK decision-makers in small-to-medium sized businesses. We discovered that 72% of the respondents are under pressure to demonstrate data protection compliance for customer data and 63% say Brexit has intensified their concerns surrounding data location and sovereignty even further – suggesting matters of sovereignty may not have been the best reason for exiting the EU.
Brexit’s impact on General Data Protection Regulations (GDPR) is a case in point. The UK authorities played a significant role in developing and refining the new EU framework, that comes into force on 25th May 2018.
Contrary to wanting to shake off the European enforced legislation, 69% of businesses want to keep GDPR. Nearly half (46%) of these businesses are fully prepared to absorb additional costs incurred through direct marketing – which the Information Commissioner’s Office (ICO) estimates will come to an additional £76,000 a year. Just 23% would like to scrap GDPR to avoid extra operating costs. While the majority (59%) think GDPR should be compulsory for all large businesses.
This doesn’t necessarily mean that businesses are happy to embrace all European legislation. Data protection is a minefield and proper governance is desperately needed. For many, protecting one’s data is a major factor in a company’s decision-making. One in two businesses in the UK decide where data is stored based on matters of data security alone.
However, on the flip side, this means the other half aren’t thinking about data residency issues. We also know that only 28% think about data sovereignty in terms of how local laws will impact the way they store their data and 87% of IT decision-makers confess to not looking at data location and sovereignty issues post-referendum.
This lack of consideration could be a ticking time-bomb. If the UK’s data flows become pawns in a messy divorce, with Theresa May reiterating recently that the government is pushing a hard Brexit as opposed to soft, businesses will need to get to grips with where their data lies, what laws their data is subject to and who owns the data centres in which their data resides. As amorphous as cloud computing sounds, company data hosted in the cloud is not an ethereal mass of zeros and ones. It has a home and this home may become a bone of contention.
Yesteryear, a European data centre could have served UK and European customers. In just over two years’ time, companies may need a European data centre for European customers and a UK data centre for UK customers. If this comes to fruition, expect multinational companies, serving a European population to move the bulk of their servers from London to a European data centre (i.e. in Dublin, Paris, Frankfurt etc.). This would represent a mass exodus of investment.
However, it also stands to reason that SMEs in the UK that don’t intend to trade with the EU, would gain far more certainty and simplicity by placing their physical servers in a UK owned and located data centre, on a co-location basis. This is reflected in the 64% of respondents who believe that in the current climate, the assurance of colocation and flexibility of cloud infrastructure strikes a good balance.
We also have to consider the recently published (10th January) European Commission’s Free Flow of Data Initiative (FFDI) Communications proposal. Up until then, the position of the European Commission was that member states (with the exception of certain specific classes of data) need not require data to be located within nation state boundaries – by law. Companies would have the right to choose where to locate their data within the EU. To add to the confusion, they are also proposing to introduce new legal concepts and policy measures targeted at business to business transactions.
The only silver lining to this is that these proposals are still at the consultation phase and there may be opportunities for trade associations such as techUK to push for reform.
So where does this leave software, cloud and hosting companies that want to enter the UK market over the next couple of years? Until very recently, data sovereignty has been a bit of a misnomer in the US and Europe as we’ve all become used to storing and transferring private citizen data across borders without much fuss. The only certainty emerging from all this uncertainty, is that if you are looking to expand into the UK market, the safest long term bet is to put your servers and data into British based data centres.
By doing so, you will automatically be aligning the data security needs of your British clients with current and future UK data protection legislation – whatever that may be. Britain is also likely to adhere to the very strict data privacy rules it (ironically) helped craft in the upcoming General Data Protection Regulation (GDPR) in 2018.If the data centre or hosting provider happens to be British owned, even better, as it won’t be subject to outside meddling from US agencies, as Microsoft has found out with some of its Irish based data centres.
Taking a home-grown approach would certainly insulate SMEs them from the negotiations’ changing winds. This awareness is starting to dawn. Almost one third of companies using an international public cloud for company data intend to stop doing so in two years’ time, following Brexit. While the proportion of companies using a UK public cloud for company data are expected to increase by almost a third in two years’ time, in the wake of the UK’s exit from the European Union.
While the wholesale movement of company data would be premature at this stage, the thinking certainly needs to be done over the next 12 months, in terms of the connotations of a business’s current cloud mix and the ins and outs of transitioning to a UK-based data centre.
The sovereignty of their data will only be one small piece of the jigsaw but it’s an important one. In the digital era, data is a company’s crown jewels and the way businesses treat and protect their data will govern their reputations.