(Image Credit: iStockPhoto/Maxiphoto)

During the UK referendum campaign, the Leave camp spoke ardently about the importance of protecting our sovereignty and making our own laws. Now we’re coming out of the EU and the single market, sovereignty is top of the agenda again, for the opposite reason. Rather than solving our right to sovereignty, Brexit threatens to destabilise it.

Right now, data holders are worried about the sovereignty of their information and the onus of complying with international laws that are not our own. For instance, company directors are wondering what their obligations will be if their organisation’s data is stored abroad and subject to the laws of the country in which the data resides? How do they comply with the country’s privacy regulations and keep foreign countries from being able to subpoena their data?

In the Autumn of 2016 4D surveyed 200 UK decision-makers in small-to-medium sized businesses. We discovered that 72% of the respondents are under pressure to demonstrate data protection compliance for customer data and 63% say Brexit has intensified their concerns surrounding data location and sovereignty even further – suggesting matters of sovereignty may not have been the best reason for exiting the EU.

Brexit’s impact on General Data Protection Regulations (GDPR) is a case in point. The UK authorities played a significant role in developing and refining the new EU framework, that comes into force on 25th May 2018.

Contrary to wanting to shake off the European enforced legislation, 69% of businesses want to keep GDPR. Nearly half (46%) of these businesses are fully prepared to absorb additional costs incurred through direct marketing – which the Information Commissioner’s Office (ICO) estimates will come to an additional £76,000 a year. Just 23% would like to scrap GDPR to avoid extra operating costs. While the majority (59%) think GDPR should be compulsory for all large businesses.

This doesn’t necessarily mean that businesses are happy to embrace all European legislation. Data protection is a minefield and proper governance is desperately needed. For many, protecting one’s data is a major factor in a company’s decision-making. One in two businesses in the UK decide where data is stored based on matters of data security alone.

However, on the flip side, this means the other half aren’t thinking about data residency issues. We also know that only 28% think about data sovereignty in terms of how local laws will impact the way they store their data and 87% of IT decision-makers confess to not looking at data location and sovereignty issues post-referendum.

This lack of consideration could be a ticking time-bomb. If the UK’s data flows become pawns in a messy divorce, with Theresa May reiterating recently that the government is pushing a hard Brexit as opposed to soft, businesses will need to get to grips with where their data lies, what laws their data is subject to, and who owns the data centers in which their data resides. As amorphous as cloud computing sounds, company data hosted in the cloud is not an ethereal mass of zeros and ones. It has a home and this home may become a bone of contention.

Yesteryear, a European data center could have served UK and European customers. In just over two years’ time, companies may need a European data center for European customers and a UK data center for UK customers. If this comes to fruition, expect multinational companies, serving a European population to move the bulk of their servers from London to a European data center (i.e. in Dublin, Paris, Frankfurt etc.). This would represent a mass exodus of investment.

However, it also stands to reason that SMEs in the UK that don’t intend to trade with the EU would gain far more certainty and simplicity by placing their physical servers in a UK owned and located data center, on a co-location basis. This is reflected in the 64% of respondents who believe that in the current climate, the assurance of colocation and flexibility of cloud infrastructure strikes a good balance.

We also have to consider the recently published (10th January) European Commission’s Free Flow of Data Initiative (FFDI) Communications proposal. Up until then, the position of the European Commission was that member states (with the exception of certain specific classes of data) need not require data to be located within nation-state boundaries – by law. Companies would have the right to choose where to locate their data within the EU. To add to the confusion, they are also proposing to introduce new legal concepts and policy measures targeted at business-to-business transactions.

The only silver lining to this is that these proposals are still in the consultation phase and there may be opportunities for trade associations such as TechUK to push for reform.

So where does this leave software, cloud and hosting companies that want to enter the UK market over the next couple of years? Until very recently, data sovereignty has been a bit of a misnomer in the US and Europe as we’ve all become used to storing and transferring private citizen data across borders without much fuss. The only certainty emerging from all this uncertainty is that if you are looking to expand into the UK market, the safest long-term bet is to put your servers and data into British-based data centers. By doing so, you will automatically be aligning the data security needs of your British clients with current and future UK data protection legislation – whatever that may be. Britain is also likely to adhere to the very strict data privacy rules it (ironically) helped craft in the upcoming General Data Protection Regulation (GDPR) in 2018. If the data center or hosting provider happens to be British owned, even better, as it won’t be subject to outside meddling from US agencies, as Microsoft has found out with some of its Irish-based data centers.

Taking a home-grown approach would certainly insulate SMEs them from the negotiations’ changing winds.  This awareness is starting to dawn. Almost one-third of companies using an international public cloud for company data intend to stop doing so in two years’ time, following Brexit. While the proportion of companies using a UK public cloud for company data are expected to increase by almost a third in two years’ time, in the wake of the UK’s exit from the European Union.

While the wholesale movement of company data would be premature at this stage, the thinking certainly needs to be done over the next 12 months, in terms of the connotations of a business’s current cloud mix and the ins and outs of transitioning to a UK-based data center. 

The sovereignty of their data will only be one small piece of the jigsaw but it’s an important one. In the digital era, data is a company’s crown jewels and the way businesses treat and protect their data will govern their reputations.

Are you concerned about Brexit disruption? Share your thoughts in the comments.

(Image Credit: iStockPhoto/Maxiphoto)

During the UK referendum campaign, the Leave camp spoke ardently about the importance of protecting our sovereignty and making our own laws. Now we’re coming out of the EU and the single market, sovereignty is top of the agenda again, for the opposite reason. Rather than solving our right to sovereignty, Brexit threatens to destabilise it.

Right now, data holders are worried about the sovereignty of their information and the onus of complying with international laws that are not our own. For instance, company directors are wondering what their obligations will be if their organisation’s data is stored abroad and subject to the laws of the country in which the data resides? How do they comply with the country’s privacy regulations and keep foreign countries from being able to subpoena their data?

In the Autumn of 2016 4D surveyed 200 UK decision-makers in small-to-medium sized businesses. We discovered that 72% of the respondents are under pressure to demonstrate data protection compliance for customer data and 63% say Brexit has intensified their concerns surrounding data location and sovereignty even further – suggesting matters of sovereignty may not have been the best reason for exiting the EU.

Brexit’s impact on General Data Protection Regulations (GDPR) is a case in point. The UK authorities played a significant role in developing and refining the new EU framework, that comes into force on 25th May 2018.

Contrary to wanting to shake off the European enforced legislation, 69% of businesses want to keep GDPR. Nearly half (46%) of these businesses are fully prepared to absorb additional costs incurred through direct marketing – which the Information Commissioner’s Office (ICO) estimates will come to an additional £76,000 a year. Just 23% would like to scrap GDPR to avoid extra operating costs. While the majority (59%) think GDPR should be compulsory for all large businesses.

This doesn’t necessarily mean that businesses are happy to embrace all European legislation. Data protection is a minefield and proper governance is desperately needed. For many, protecting one’s data is a major factor in a company’s decision-making. One in two businesses in the UK decide where data is stored based on matters of data security alone.

However, on the flip side, this means the other half aren’t thinking about data residency issues. We also know that only 28% think about data sovereignty in terms of how local laws will impact the way they store their data and 87% of IT decision-makers confess to not looking at data location and sovereignty issues post-referendum.

This lack of consideration could be a ticking time-bomb. If the UK’s data flows become pawns in a messy divorce, with Theresa May reiterating recently that the government is pushing a hard Brexit as opposed to soft, businesses will need to get to grips with where their data lies, what laws their data is subject to, and who owns the data centers in which their data resides. As amorphous as cloud computing sounds, company data hosted in the cloud is not an ethereal mass of zeros and ones. It has a home and this home may become a bone of contention.

Yesteryear, a European data center could have served UK and European customers. In just over two years’ time, companies may need a European data center for European customers and a UK data center for UK customers. If this comes to fruition, expect multinational companies, serving a European population to move the bulk of their servers from London to a European data center (i.e. in Dublin, Paris, Frankfurt etc.). This would represent a mass exodus of investment.

However, it also stands to reason that SMEs in the UK that don’t intend to trade with the EU would gain far more certainty and simplicity by placing their physical servers in a UK owned and located data center, on a co-location basis. This is reflected in the 64% of respondents who believe that in the current climate, the assurance of colocation and flexibility of cloud infrastructure strikes a good balance.

We also have to consider the recently published (10th January) European Commission’s Free Flow of Data Initiative (FFDI) Communications proposal. Up until then, the position of the European Commission was that member states (with the exception of certain specific classes of data) need not require data to be located within nation-state boundaries – by law. Companies would have the right to choose where to locate their data within the EU. To add to the confusion, they are also proposing to introduce new legal concepts and policy measures targeted at business-to-business transactions.

The only silver lining to this is that these proposals are still in the consultation phase and there may be opportunities for trade associations such as TechUK to push for reform.

So where does this leave software, cloud and hosting companies that want to enter the UK market over the next couple of years? Until very recently, data sovereignty has been a bit of a misnomer in the US and Europe as we’ve all become used to storing and transferring private citizen data across borders without much fuss. The only certainty emerging from all this uncertainty is that if you are looking to expand into the UK market, the safest long-term bet is to put your servers and data into British-based data centers. By doing so, you will automatically be aligning the data security needs of your British clients with current and future UK data protection legislation – whatever that may be. Britain is also likely to adhere to the very strict data privacy rules it (ironically) helped craft in the upcoming General Data Protection Regulation (GDPR) in 2018. If the data center or hosting provider happens to be British owned, even better, as it won’t be subject to outside meddling from US agencies, as Microsoft has found out with some of its Irish-based data centers.

Taking a home-grown approach would certainly insulate SMEs them from the negotiations’ changing winds.  This awareness is starting to dawn. Almost one-third of companies using an international public cloud for company data intend to stop doing so in two years’ time, following Brexit. While the proportion of companies using a UK public cloud for company data are expected to increase by almost a third in two years’ time, in the wake of the UK’s exit from the European Union.

While the wholesale movement of company data would be premature at this stage, the thinking certainly needs to be done over the next 12 months, in terms of the connotations of a business’s current cloud mix and the ins and outs of transitioning to a UK-based data center. 

The sovereignty of their data will only be one small piece of the jigsaw but it’s an important one. In the digital era, data is a company’s crown jewels and the way businesses treat and protect their data will govern their reputations.

Are you concerned about Brexit disruption? Share your thoughts in the comments.

(c)iStock.com/Delpixart

The campaigns were closely fought. Polls indicated it would be close. Still, many businesses assumed that the UK would stick to what they knew and vote to remain in the European Union (EU). In the aftermath of the vote to leave, and with the heat and hyperbole having largely dissipated, what new challenges does Brexit bring?

The Leave campaign was always a broad coalition of different interests, many with competing ideas. With a Brexit vote secured, some of those will fall by the wayside, while others become government policy. In the meantime, companies in the tech sector, dependent on investment to maintain their position, must live with the thing most likely to restrict it: uncertainty. 

The greatest uncertainty concerns access to markets and trade conditions. EU politicians have stated, repeatedly, that unrestricted access to the single market is conditional on Britain maintaining freedom of movement. Meanwhile, Brexit-supporting politicians in the UK believe that this is negotiable. It seems unlikely that the EU will reward Britain’s decision to go it alone with a uniquely advantageous arrangement, but it would be wrong to think that there is a single European stance. Much depends on whether the European Council or the European Commission takes the lead in negotiations. The Council is more likely to be pragmatic; the Commission may take a harder line.

Whatever happens, the UK won’t lose access to the single market – actually a single regulatory regime with a common set of technical standards, which benefit businesses outside the EU as much as those within it. UK exports may become subject to tariffs, but these average 2.3% for non-agricultural products: significant, but less so than movements in exchange rates, for example.

Tariffs may be reduced or removed by free trade agreements, which have been secured by every non-EU European country other than Belarus. British negotiators are likely to focus on key service industries, such as finance and technology. The size of our economy and its value to the EU, which enjoys a trade surplus of £88.7 billion with the UK, gives us a relatively strong bargaining position. Furthermore, the costs arising from new barriers in Europe could be offset by concluding trade agreements with countries outside the EU. According to Eurostat, over 56% of UK trade is with non-EU states, up from 38% in 2002. Among EU members, only Malta does a higher proportion of its trade outside the bloc, so the EU’s lack of success in forging external trade agreements has affected Britain disproportionately.

A second risk for the tech sector relates to the free movement of data. The EU’s General Data Protection Regulation (GDPR), which sets common rules on storage and transfer of personal data, comes into effect in May 2018. The GDPR won’t exclude British providers from handling EU data, provided they comply with the regulation. However, the regulation would have applied automatically had the UK remained in the EU. Now, either Parliament must pass new laws to bring Britain into line with the new standards, or UK companies will need to be assessed by the Commission. This is an unwelcome hindrance, but most data processing companies will already meet the standards, if they are already ISO 27001 certified.

A third risk, particularly relevant to the technology sector, is energy security and cost. Recent governments have under-invested in new generating capacity, but a new nuclear plant at Hinkley Point was expected to address that. Hinkley Point could provide 7% of the UK’s supply, but the project has been beset by problems, delaying completion from 2017 to no earlier than 2025. The principal contractor, EDF, is 85% owned by the French government and struggling under billions of euros of debt. In the aftermath of the Brexit vote, reports in the press suggested that the deal is under threat. EDF will no longer be investing in an EU partner country, and the French unions, concerned about the company’s ability to take on more debt, have used the opportunity to argue against it.

Hinkley Point is also dependent on large subsidies from the British government, which will support EDF. The European Commission agreed to these in 2014, but it’s possible that a coalition of European governments, many of which are anti-nuclear, will seek to block the deal under EU competition laws.

If Hinkley Point falls through, or if Britain is unable to sell surplus nuclear energy to the continent, the cost of power will go up and by proxy, the cost of running offices, data centres and the cloud will increase as well.

Despite the risks, Brexit provides an opportunity for UK business to change the way we trade with Europe and the wider world. As ever, we will succeed if we produce goods and services that other countries want. Britain must remain open to trade, people, data and ideas, and continue to welcome the best and brightest of everything from around the world.  The tech sector, which prides itself on being agile in the face of changing conditions, is actually well placed to benefit from the changes, even if Brexit wasn’t the result that it expected or desired. Looking forward, post-Brexit Britain could be a very exciting place to be.

In terms of GDPR specifically, the UK’s Information Commissioner’s Office (ICO) has confirmed that “if the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’” – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

From a contingency perspective therefore, most big companies and especially cloud hosting firms are acting as if the GDPR will come into effect on the May 28 2018, to ensure that, even after we exit the EU, we can still trade as effectively, and legally, as we would if we remained a part of the Union.